Configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

Page 149

139

Configuration procedure

NOTE:
•

For re-DHCP authentication, configure a public address pool (20.20.20.0/24, in this example) and a
private address pool (10.0.0.0/24, in this example) on the DHCP server. (Details not shown.)

•

For re-DHCP authentication, the SecPath must be configured as a DHCP relay agent (instead of a DHCP
server) and the portal-enabled interface must be configured with a primary IP address (a public IP

address) and a secondary IP address (a private IP address). For information about DHCP relay agent

configuration, see

Network Management Configuration Guide.

•

Make sure that the IP address of the portal device added on the portal server is the public IP address of
the interface connecting users (20.20.20.1 in this example), the private IP address range for the IP

address group associated with the portal device is the private network segment where the users reside

(10.0.0.0/24 in this example), and the public IP address range for the IP address group is the public
network segment 20.20.20.0/24.

•

Configure IP addresses for the SecPath and servers as shown in

Figure 121

and make sure that the host,

SecPath, and servers can reach each other.

•

Configure the RADIUS server properly to provide authentication/accounting functions for users.

Configure a RADIUS scheme on the SecPath:
# Create a RADIUS scheme named rs1 and enter its view.

system-view

[SecPath] radius scheme rs1

# Set the server type for the RADIUS scheme. When using the CAMS or IMC server, set the server

type to extended.

[SecPath-radius-rs1] server-type extended

# Specify the primary authentication server and primary accounting server, and configure the keys
for communication with the servers.

[SecPath-radius-rs1] primary authentication 192.168.0.113

[SecPath-radius-rs1] primary accounting 192.168.0.113

[SecPath-radius-rs1] key authentication radius

[SecPath-radius-rs1] key accounting radius

[SecPath-radius-rs1] user-name-format without-domain

# Configure the IP address of the security policy server.

[SecPath-radius-rs1] security-policy-server 192.168.0.114

[SecPath-radius-rs1] quit

Configure an authentication domain on the SecPath:
# Create an ISP domain named dm1 and enter its view.

[SecPath] domain dm1

# Configure AAA methods for the ISP domain.

[SecPath-isp-dm1] authentication portal radius-scheme rs1

[SecPath-isp-dm1] authorization portal radius-scheme rs1

[SecPath-isp-dm1] accounting portal radius-scheme rs1

[SecPath-isp-dm1] quit

# Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without

the ISP domain at logon, the authentication and accounting methods of the default domain will be
used for the user.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS