Network requirements – H3C Technologies H3C SecPath F1000-E User Manual

Page 150

140

[SecPath] domain default enable dm1

On the SecPath, configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the

ACL (ACL 3001) for Internet resources.

[SecPath] acl number 3000

[SecPath-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255

[SecPath-acl-adv-3000] rule deny ip

[SecPath-acl-adv-3000] quit

[SecPath] acl number 3001

[SecPath-acl-adv-3001] rule permit ip

[SecPath-acl-adv-3001] quit

On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security
ACL.

Configure extended portal authentication on the SecPath:
# Configure the portal server as follows:

{

Name: newpt

{

IP address: 192.168.0.111

{

Key: portal

{

Port number: 50100

{

URL: http://192.168.0.111:8080/portal.

[SecPath] portal server newpt ip 192.168.0.111 key portal port 50100

url http://192.168.0.111:8080/portal

# Configure the SecPath as a DHCP relay agent, and enable the IP address check function.

[SecPath] dhcp enable

[SecPath] dhcp relay server-group 0 ip 192.168.0.112

[SecPath] interface gigabitethernet 0/2

[SecPath–GigabitEthernet0/2] ip address 20.20.20.1 255.255.255.0

[SecPath–GigabitEthernet0/2] ip address 10.0.0.1 255.255.255.0 sub

[SecPath-GigabitEthernet0/2] dhcp select relay

[SecPath-GigabitEthernet0/2] dhcp relay server-select 0

[SecPath-GigabitEthernet0/2] dhcp relay address-check enable

# Enable portal authentication on the interface connecting the host.

[SecPath–GigabitEthernet0/2] portal server newpt method redhcp

[SecPath–GigabitEthernet0/2] quit

Configuring cross-subnet portal authentication with extended
functions

Network requirements

As shown in

Figure 122

•

SecPath A is configured for cross-subnet extended portal authentication. If a user fails security check

after passing identity authentication, the user can access only subnet 192.168.0.0/24. After
passing the security check, the user can access Internet resources.

•

The host accesses SecPath A through SecPath B.

•

A RADIUS server serves as the authentication/accounting server.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS