HP 5500 Ei 5500 Si Switch Series Configuration Guide

 166 
# Configure dm1 as the default ISP domain for all users. Then, if a user enters the username without 
the ISP domain at logon, the authentication an d accounting methods of the default domain are 
used for the user. 
[Switch] domain default enable dm1 
3.  Configure portal authentication: 
# Configure a portal server on the switch, making  sure that the IP address, port number and URL 
match those of the actual portal server. 
[Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url...

 167 
IP address). For information about DHCP relay agent configuration, see  Layer 3—IP Services 
Configuration Guide . 
•   Make sure the IP address of the portal device added on the portal server is the public IP address of 
the interface connecting users (20. 20.20.1 in this example), the private IP address range for the IP 
address group associated with the portal device  is the private network segment where the users 
reside (10.0.0.0/24 in this example), and the public IP address range for the IP...

 168 
{ Port number: 50100 
{ U R L :  h t t p : / / 1 9 2 .16 8 . 0 .1 11:8080/portal. 
[Switch] portal server newpt ip 192.168.0.111 key portal port 50100 url \
http://192.168.0.111:8080/portal 
# Configure the switch as a DHCP relay agen t, and enable the IP address check function.  
[Switch] dhcp enable 
[Switch] dhcp relay server-group 0 ip 192.168.0.112 
[Switch] interface vlan-interface 100 
[Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0 
[Switch–Vlan-interface100] ip address...

 169 
•  Make sure the IP address of the portal device added on the portal server is the IP address of the 
interface connecting users (20.20.20.1 in this exam ple), and the IP address group associated with 
the portal device is the network segment where  the users reside (8.8.8.0/24 in this example). 
Perform the following configuration to configure cross-subnet portal authentication on Switch A:  
1. Configure a RADIUS scheme: 
# Create a RADIUS scheme named  rs1 and enter its view.  
 system-view...

 170 
On Switch B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1. 
(Details not shown.) 
Configuring direct portal authentication with extended 
functions 
Network requirements 
As shown in Figure 68: 
•   T
he host is directly connected to the switch and the switch is configured for direct extended portal 
authentication. The host is assigned with a publ ic network IP address either manually or through 
DHCP. If the host fails security check after passing...

 171 
[Switch-radius-rs1] key authentication radius 
[Switch-radius-rs1] user-name-format without-domain 
# Configure the IP address of the security policy server.  
[Switch-radius-rs1] security-policy-server 192.168.0.113 
[Switch-radius-rs1] quit 
2. Configure an authentication domain: 
# Create an ISP domain named  dm1 and enter its view.  
[Switch] domain dm1 
# Configure AAA methods for the ISP domain. 
[Switch-isp-dm1] authentication portal radius-scheme rs1 
[Switch-isp-dm1] authorization portal...

 172 
Configuring re-DHCP portal authentication with extended 
functions 
Network requirements 
As shown in Figure 69: 
•   T
he host is directly connected to the switch and the switch is configured for re-DHCP authentication. 
The host is assigned with an IP address through the DHCP server. Before passing portal 
authentication, the host uses an assigned private  IP address. After passing portal authentication, the 
host can get a public IP address. 
•   If the host fails security check after passing...

 173 
Perform the following configuration to configure re-DHCP portal authentication with extended functions 
on the switch: 
1. Configure a RADIUS scheme: 
# Create a RADIUS scheme named  rs1 and enter its view.  
 system-view 
[Switch] radius scheme rs1 
# Set the server type for the RADIUS scheme. When  using the IMC server, set the server type to 
extended .  
[Switch-radius-rs1] server-type extended 
# Specify the primary authentication server and primary accounting server, and configure the keys...

 174 
{ IP address: 192.168.0.1 11 
{  Key: portal 
{ Port number: 50100 
{ U R L :  h t t p : / / 1 9 2 .16 8 . 0 .1 11:8080/portal. 
[Switch] portal server newpt ip 192.168.0.111 key portal port 50100 
url http://192.168.0.111:8080/portal 
# Configure the switch as a DHCP relay agen t, and enable the IP address check function.  
[Switch] dhcp enable 
[Switch] dhcp relay server-group 0 ip 192.168.0.112 
[Switch] interface vlan-interface 100 
[Switch–Vlan-interface100] ip address 20.20.20.1 255.255.255.0...

 175 
Configuration procedure 
Make sure the IP address of the portal device added on the portal server is the IP address of the interface 
connecting users (20.20.20.1 in this example), and  the IP address group associated with the portal 
device is the network segment where the us ers reside (8.8.8.0/24 in this example). 
Configure IP addresses for the host, switches, and servers as shown in  Figure 70 and mak
 e sure that they 
can reach each other. 
Configure the RADIUS server properly to provide...