Portal认证作为一个简单快捷的认证方式,越来越多的公司采用。有的公司大公司,iMC服务器不在本地,而是在公网,这样portal认证的时候需要跨越NAT,本案例实现一个简单的NAT portal认证。
一.设备配置:
portal server portal21 ip 192.168.15.6 key cipher $c$3$CLWGrRPHS7r5ZEF4y7gKaR/MNK9smg== url http://192.168.15.6:8080/portal server-type imc //配置portal server ,密码h3c
portal free-rule 1 source ip any destination ip 8.8.8.8 mask 255.255.255.255 //放通到dns地址
portal free-rule 2 source ip any destination ip 114.64.255.148 mask 255.255.255.255
portal free-rule 3 source ip any destination ip 114.64.255.0 mask 255.255.255.0
portal free-rule 4 source ip any destination ip 192.168.199.1 mask 255.255.255.255
portal free-rule 5 source ip any destination ip 192.168.20.1 mask 255.255.255.255
#
domain default enable portal21
acl number 3000 //用于下发不同的策略的acl
rule 0 deny ip destination 111.1.1.1 0
rule 5 permit ip
acl number 3001 //用于下发不同的策略的acl
rule 0 deny ip destination 111.1.1.2 0
rule 5 permit ip
#
vlan 15
#
vlan 20 to 22
radius scheme portal21
primary authentication 192.168.15.6 key cipher $c$3$i+VDTbQz76KaYNVGCLgjxeW5hzuU/A== //密钥h3c
primary accounting 192.168.15.6 key cipher $c$3$ESLodi1ding/kohgcCABb+W78ehsrg==
user-name-format without-domain
nas-ip 192.168.15.1
#
domain portal21
authentication portal radius-scheme portal21
authorization portal radius-scheme portal21
accounting portal radius-scheme portal21
access-limit disable
state active
idle-cut disable
self-service-url disable
interface LoopBack1 //用于测试策略的地址
ip address 111.1.1.1 255.255.255.255
#
interface LoopBack2 //用于测试策略的地址
ip address 111.1.1.2 255.255.255.255
interface Vlan-interface15 //连接iMC的接口
description ssid-imc-portal-test
ip address 192.168.15.1 255.255.255.0
nat server 1 protocol udp global current-interface 2000 inside 192.168.20.1 2000 //模拟192.168.15.1为公网地址,iMC 192.168.15.6为在公网上的服务器,需要在公网接口上配置UDP 2000端口的服务映射
#
interface Vlan-interface20 //连接认证客户端的接口
description ssid-6234
ip address 192.168.20.1 255.255.255.0
portal server portal21 method direct
snmp-agent //配置SNMP参数
snmp-agent local-engineid 800063A203B8AF67F778FC
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info location Location:shenzhen
snmp-agent sys-info version all
二.iMC配置
1. 配置接入设备
2. 配置portal的ip地址组
3. 配置portal设备
4. 定制页面
选择一个模板,点击增加
5. 配置页面推送策略
配置两个子策略,分别如下
Windows 7 的http报文中的http user-agent字段是Windows NT 6.1
通过在iMC服务器上抓包iPhone 5发过来的IOS8.3系统的http报文 user-agent字段是CPU iPhone OS
6. 端口组信息管理里面调用IP地址组和页面推送策略
配置调用NATip地址组
7. 接入条件里面增加终端类型分组
8. 配置接入策略,不同的策略调用不同的acl,实现不同的权限控制
9. 配置接入服务,不同的终端类型调用不同的接入策略
10. 配置接入用户绑定此接入服务
配置完成
认证效果
PC端登陆:
认证通过之后
Ping的时候到设备上查看acl
Advanced ACL 3000, named -none-, 2 rules,
ACL's step is 5
rule 0 deny ip destination 111.1.1.1 0 (9 times matched)
rule 5 permit ip (5131 times matched)
iPhone客户端登陆:
设备上查看acl匹配情况
Advanced ACL 3001, named -none-, 2 rules,
ACL's step is 5
rule 0 deny ip destination 111.1.1.2 0 (23 times matched)
rule 5 permit ip (7541 times matched)
在设备上查看
Info: NAT packet debugging is enabled on this interface!
Info: Current terminal monitor is on.
Info: Current terminal debugging is on.
%Jun 8 21:58:04:606 2015 cy15 PPPOEC/6/PPPOEC_LOG_FAIL_SERVER_ERR: PPPoE user failed to log on for no response was received from server.
%Jun 8 21:58:04:607 2015 cy15 PPPOEC/6/PPPOEC_LOG_FAIL_SERVER_ERR: PPPoE user failed to log on for no response was received from server.
*Jun 8 21:58:10:723 2015 cy15 NAT/7/debug:
(Vlan-interface15-in :)Pro : UDP
( 192.168.15.6:50100 - 192.168.15.1: 2000) ------>
( 192.168.15.6:50100 - 192.168.15.1: 2000)
*Jun 8 21:58:10:727 2015 cy15 NAT/7/debug:
(Vlan-interface15-out :)Pro : UDP is from NAT server
( 192.168.20.1: 2000 - 192.168.15.6:50100) ------>
( 192.168.15.1: 2000 - 192.168.15.6:50100)
*Jun 8 21:58:11:699 2015 cy15 NAT/7/debug:
(Vlan-interface15-out :)Pro : UDP is from NAT server
( 192.168.20.1: 2000 - 192.168.15.6:50100) ------>
( 192.168.15.1: 2000 - 192.168.15.6:50100)
*Jun 8 21:58:11:705 2015 cy15 NAT/7/debug:
(Vlan-interface15-out :)Pro : UDP is from NAT server
( 192.168.20.1: 2000 - 192.168.15.6:50100) ------>
( 192.168.15.1: 2000 - 192.168.15.6:50100)
*Jun 8 21:58:12:354 2015 cy15 NAT/7/debug:
(Vlan-interface15-out :)Pro : UDP is from NAT server
( 192.168.20.1: 2000 - 192.168.15.6:50100) ------>
( 192.168.15.1: 2000 - 192.168.15.6:50100)
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作