beautypg.com

Configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

Page 143

background image

133

Configuration procedure

NOTE:

For re-DHCP authentication, configure a public address pool (20.20.20.0/24, in this example) and a
private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown.)

For re-DHCP authentication, the SecPath must be configured as a DHCP relay agent (instead of a DHCP
server) and the portal-enabled interface must be configured with a primary IP address (a public IP

address) and a secondary IP address (a private IP address). For information about DHCP relay agent

configuration, see

Network Management Configuration Guide.

Make sure that the IP address of the portal device added on the portal server is the public IP address of
the interface connecting users (20.20.20.1 in this example), the private IP address range for the IP

address group associated with the portal device is the private network segment where the users reside

(10.0.0.0/24 in this example), and the public IP address range for the IP address group is the public
network segment 20.20.20.0/24.

Configure IP addresses for the SecPath and servers as shown in

Figure 118

and make sure that the host,

SecPath, and servers can reach each other.

Configure the RADIUS server properly to provide authentication/accounting functions for users.

1.

Configure a RADIUS scheme on the SecPath:
# Create a RADIUS scheme named rs1, and enter its view.

system-view

[SecPath] radius scheme rs1

# Set the server type for the RADIUS scheme. When using the CAMS or IMC server, set the server

type to extended.

[SecPath-radius-rs1] server-type extended

# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.

[SecPath-radius-rs1] primary authentication 192.168.0.113

[SecPath-radius-rs1] primary accounting 192.168.0.113

[SecPath-radius-rs1] key authentication radius

[SecPath-radius-rs1] key accounting radius

# Specify that the ISP domain name should not be included in the username sent to the RADIUS
server.

[SecPath-radius-rs1] user-name-format without-domain

[SecPath-radius-rs1] quit

2.

Configure an authentication domain on the SecPath:
# Create an ISP domain named dm1 and enter its view.

[SecPath] domain dm1

# Configure AAA methods for the ISP domain.

[SecPath-isp-dm1] authentication portal radius-scheme rs1

[SecPath-isp-dm1] authorization portal radius-scheme rs1

[SecPath-isp-dm1] accounting portal radius-scheme rs1

[SecPath-isp-dm1] quit

# Configure dm1 as the default ISP domain for all users. Then, if a user enters a username without

any ISP domain at logon, the authentication and accounting methods of the default domain will be

used for the user.