1. 首页 > 服务支持 > 手册及资料

华为S5700/S7703三层交换机与蓝海卓越系统 对接实现Portal认证+MAC无感知认证

华为S5700/S7703,Portal认证,MAC无感知认证
作者:小编 上传时间:2021-09-20 浏览量:233
文件下载列表 : (1)
详细介绍

华为S5700/S7703三层交换机与蓝海卓越系统

对接实现Portal认证+MAC无感知认证

拓扑描述:

华为S5700/S7703三层交换机与蓝海卓越系统 对接实现Portal认证+MAC无感知认证(图1) 

出口网关上接互联网,做NAT。

出口网关上做DHCP、宽带拨号

网关下接华为S5700/S7703三层交换机

下接普通无线AP,做桥接模式


蓝海卓越认证服务器配置:

     华为S5700/S7703三层交换机与蓝海卓越系统 对接实现Portal认证+MAC无感知认证(图2)

华为S5700/S7703三层交换机与蓝海卓越系统 对接实现Portal认证+MAC无感知认证(图3)

 

然后添加用户组、添加套餐,添加用户(具体请参考使用手册)

华为交换机配置参考:

[LeeSon-SW]dis cur 
!Software Version V200R005C00SPC500
#
sysname LeeSon-SW
#
undo info-center enable
#
dns resolve
dns server 114.114.114.114
dns server 8.8.8.8
#
vcmp role silent
#
vlan batch 10 100
#
lnp disable
#
undo authentication unified-mode
#
telnet server enable
telnet ipv6 server enable
#
mac-authen
mac-authen domain leeson.com
#
http server load s5700si-v200r005c00spc500.web.7z
#
undo management-port isolate enable
undo management-plane isolate enable
#
dhcp enable
#
radius-server template radius
radius-server shared-key cipher %@%@3:T<:/_JKF'gF"J@xmE&]1+i%@%@
radius-server authentication 192.168.0.1 1812 weight 80
radius-server accounting 192.168.0.1 1813 weight 80
radius-server retransmit 2
undo radius-server user-name domain-included
radius-attribute nas-ip 192.168.0.250
#
url-template name portal
url http://192.168.0.1
url-parameter user-mac mac redirect-url url sysname nasname user-ipaddress wlanuserip
url-parameter mac-address format delimiter : normal
#
web-auth-server portal
server-ip 192.168.0.5 192.168.0.1
port 50100
shared-key cipher %@%@\r5pOb*+_0<)8#R90%sI~n{o%@%@
url http://192.168.0.1:9090                  
url-template portal
source-ip 192.168.0.250
#
aaa
authentication-scheme default
authentication-scheme radius
  authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme radius
  accounting-mode radius
  accounting realtime 1
domain default
domain default_admin
domain leeson.com
  authentication-scheme radius
  accounting-scheme radius
  radius-server radius
  statistic enable
local-user admin password irreversible-cipher %@%@i5+*Q]e1jOIgu.)+>.E!o7rL!tS)&6q{1=C&;v5uA!Z)7rOo%@%@
local-user admin privilege level 15
local-user admin service-type telnet http
local-user leeson password irreversible-cipher %@%@n2R,AhiG/R1#c>>jL1u/p1BGlJZV~O,$L#yD84&o~8>81BJp%@%@
local-user leeson privilege level 15     
local-user leeson service-type telnet http
local-user lishuo password irreversible-cipher %@%@GY2h3cG!o4_dr(*WnBo%WH1kDBSq/"YW9-p\aa-whY/<H1nW%@%@
local-user lishuo privilege level 15
local-user lishuo service-type telnet http
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.0.250 255.255.255.0
web-auth-server portal direct
portal domain leeson.com
mac-authen
mac-authen username macaddress format without-hyphen
mac-authen domain leeson.com
dhcp select relay
dhcp relay server-ip 192.168.0.254
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#                                         
interface GigabitEthernet0/0/2
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/7
port link-type access
port default vlan 100
#                                         
interface GigabitEthernet0/0/8
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/9
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/10
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/11
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/12
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/13
port link-type access
port default vlan 100
#                                         
interface GigabitEthernet0/0/14
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/15
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/16
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/17
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/18
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/19
port link-type access
port default vlan 100
#                                         
interface GigabitEthernet0/0/20
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/21
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/22
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/23
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 10
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/4
#                                         
ssh server compatible-ssh1x enable
#
web-auth-server version v2
portal timer offline-detect 30
portal free-rule 0 destination any source ip 192.168.0.1 mask 255.255.255.255
portal free-rule 1 destination ip 192.168.0.1 mask 255.255.255.255 source any
portal free-rule 2 destination any source ip 192.168.0.254 mask 255.255.255.255
portal free-rule 3 destination ip 192.168.0.254 mask 255.255.255.255 source any
portal free-rule 4 destination any source ip 192.168.0.250 mask 255.255.255.255
portal free-rule 5 destination ip 192.168.0.250 mask 255.255.255.255 source any
portal free-rule 6 destination any source ip 118.118.118.9 mask 255.255.255.255
portal free-rule 7 destination ip 118.118.118.9 mask 255.255.255.255 source any
portal free-rule 8 destination any source ip 202.98.192.67 mask 255.255.255.255
portal free-rule 9 destination ip 202.98.192.67 mask 255.255.255.255 source any
portal free-rule 10 destination any source interface GigabitEthernet0/0/1
portal free-rule 28 destination any source ip 192.168.0.10 mask 255.255.255.255
portal free-rule 29 destination ip 192.168.0.10 mask 255.255.255.255 source any
#
user-interface con 0
authentication-mode password
set authentication password cipher @%@%!'"/22O3L7H\t(M>:R4Myy=itER,GfG*U!`UKbWqOC6Oy=ly@%@%
user-interface vty 0 4
authentication-mode aaa
user privilege level 15                  
protocol inbound all
user-interface vty 16 20
protocol inbound telnet
#
port-group alle
group-member GigabitEthernet0/0/1
group-member GigabitEthernet0/0/2
group-member GigabitEthernet0/0/3
group-member GigabitEthernet0/0/4
group-member GigabitEthernet0/0/5
group-member GigabitEthernet0/0/6
group-member GigabitEthernet0/0/7
group-member GigabitEthernet0/0/8
group-member GigabitEthernet0/0/9
group-member GigabitEthernet0/0/10
group-member GigabitEthernet0/0/11
group-member GigabitEthernet0/0/12
group-member GigabitEthernet0/0/13
group-member GigabitEthernet0/0/14
group-member GigabitEthernet0/0/15
group-member GigabitEthernet0/0/16
group-member GigabitEthernet0/0/17
group-member GigabitEthernet0/0/18
group-member GigabitEthernet0/0/19       
group-member GigabitEthernet0/0/20
group-member GigabitEthernet0/0/21
group-member GigabitEthernet0/0/22
group-member GigabitEthernet0/0/23
group-member GigabitEthernet0/0/24
#
return
[LeeSon-SW] 




=======================================================

配置原理说明如下:


1、配置url模版(登录跳转的认证页地址和赋值参数)

url-template name drcom

 url http://172.31.251.2/a79.htm

 url-parameter user-mac wlanusermac user-ipaddress wlanuserip sysname wlanacname  //此处参数名是wlanuserip   wlanusermac   wlanacname三个,一定要跟portal服务器配置的名字一致,否则赋值参数不正确,不能顺利认证。

quit

undo portal url-encode enable  //关闭URL编解码功能,使赋值参数中的IP地址为原始形式,不被转为安全转义形式

2、配置portal认证模版(设置与portal服务器对接的有关参数)

web-auth-server default_portal

 server-ip 172.31.251.2     //portal服务器地址

 port 2000    //此处portal服务器走2000端口号,一般常见是50100

 shared-key cipher portal    //对接密钥

 url-template drcom            //引用前面配置得url模版

 source-ip 172.31.100.221    //交换机用于与portal服务器对接的源地址

quit

3、配置radius服务器模版

radius-server template default_mould

 radius-server shared-key cipher portal   //对接密钥

 radius-server authentication 172.31.251.2 1812 source ip-address 172.31.100.222 weight 80  

 radius-server accounting 172.31.251.2 1813 source ip-address 172.31.100.222 weight 80  //必须配记账,否则AAA服务器看不到用户上线

 radius-server retransmit 2

 undo radius-server user-name domain-included   //发送的认证用户名不携带域名

 radius-attribute nas-ip 172.31.100.222   //与radius服务器对接的本地源地址

quit

radius-server authorization 172.31.251.2 shared-key cipher portal   //必须配置授权指向radius服务器,否则portal服务器提供的用户主动点击下线功能将无效

 

4、配置免认证规则(是无需认证就能通信的流量,至少需要放通到dns的流量,否则用户输入的网址无法解析就无法触发http流量,进而无法弹出认证页,portal认证必须是在有http流量时才能弹出)

free-rule-template name default_free_rule

 free-rule 0 destination ip 172.22.12.0 mask 255.255.255.0 source ip 172.22.12.0 mask 255.255.255.0

 free-rule 1 destination ip 192.168.200.200 mask 255.255.255.255

 free-rule 2 destination ip 192.168.200.203 mask 255.255.255.255

 free-rule 3 destination ip 192.168.200.201 mask 255.255.255.255

 free-rule 4 destination ip 192.168.200.199 mask 255.255.255.255

 free-rule 5 destination ip 172.22.12.254 mask 255.255.255.255

 free-rule 6 destination ip 192.168.200.205 mask 255.255.255.255

 free-rule 7 destination ip 172.22.12.255 mask 255.255.255.255

 free-rule 8 destination ip 223.0.0.0 mask 192.0.0.0

 free-rule 9 destination ip 172.31.251.2 mask 255.255.255.255

quit

5、配置portal准入策略引用portal模版

portal-access-profile name portal_access_profile

 web-auth-server default_portal direct

quit

6、配置认证方案,引用portal准入策略

authentication-profile name portal_authen_profile

 portal-access-profile portal_access_profile

quit

7、配置AAA

aaa

 authentication-scheme default_radius   //建立radius方案使用radius认证模式

  authentication-mode radius

quit

 authorization-scheme radius      //创建名为radius的授权方案

 accounting-scheme radius         //创建计费方案,使用radius方式

  accounting-mode radius

  accounting realtime 15              //开启实时计费功能,并设置实时计费时间间隔为15分钟。

quit

 domain default                            //在AAA的默认域中引用认证、授权、计费的方案

  authentication-scheme default_radius

  accounting-scheme radius

  authorization-scheme radius

  radius-server default_mould

quit

8、配置接口应用认证方案

interface Vlanif13

 authentication-profile portal_authen_profile



随便看看
地址:成都市一环路南一段12号  电话:028-86679789  手机:13980098139
Copyright © 2020-2025 成都星锐蓝海网络科技有限公司 版权所有  ICP备案编号:蜀ICP备09030039号-2