MA5200F侧挂实现CAMS Portal认证的配置
组网需求:
采用MA5200F侧挂的方式实现Portal认证应用的比较广泛,主要是由于在这种工作模式下添加一台Portal认证设备和CAMS服务器,对现有的网络几乎不用做任何改动,业务部署起来十分方便。下面就以MA5200F侧挂S3528P为例介绍这种典型组网,实际环境中MA5200F多侧挂在核心层交换机上。
组网图:
配置步骤:
CAMS服务器版本:2.10-R0121
MA5200版本:Version 2.10 RELEASE 7135
S3528P版本:Version 3.10, RELEASE 0025
1 配置S3528P
在S3528P与终端相连的接口上启用策略路由,将终端访问外网的报文重定向至MA5200F
#
sysname 3528P
#
radius scheme system
server-type huawei
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
domain system
radius-scheme system
access-limit disable
state active
vlan-assignment-mode integer
idle-cut disable
self-service-url disable
messenger time disable
domain default enable system
#
local-server nas-ip 127.0.0.1 key huawei
#
temperature-limit 0 20 80
#
acl number 3000
rule 0 permit ip source 172.16.0.0 0.0.0.255
#
vlan 1
#
vlan 2
#
interface Vlan-interface1
ip address 172.16.0.1 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.0.1 255.255.255.0
#
interface Aux0/0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Ethernet0/5
#
interface Ethernet0/6
#
interface Ethernet0/7
#
interface Ethernet0/8
#
interface Ethernet0/9
#
interface Ethernet0/10
#
interface Ethernet0/11
#
interface Ethernet0/12
traffic-redirect inbound ip-group 3000 rule 0 next-hop 172.16.0.108
#
interface Ethernet0/13
port access vlan 2
#
interface Ethernet0/14
port access vlan 2
#
interface Ethernet0/15
port access vlan 2
#
interface Ethernet0/16
port access vlan 2
#
interface Ethernet0/17
port access vlan 2
#
interface Ethernet0/18
port access vlan 2
#
interface Ethernet0/19
port access vlan 2
#
interface Ethernet0/20
port access vlan 2
#
interface Ethernet0/21
port access vlan 2
#
interface Ethernet0/22
port access vlan 2
#
interface Ethernet0/23
port access vlan 2
#
interface Ethernet0/24
port access vlan 2
#
interface GigabitEthernet1/1
#
interface GigabitEthernet1/2
#
interface GigabitEthernet1/3
#
interface GigabitEthernet1/4
#
interface NULL0
#
user-interface aux 0
user-interface vty 0 4
#
return
2 配置MA5200F,启用Portal
#
version 7135
sysname MA5200F
#
system language-mode english
#
web-auth-server version v2
web-auth-server 192.168.0.13 port 50100 key cams
#
radius-server group cams
radius-server key cams
radius-server authentication 192.168.0.13 1812
radius-server accounting 192.168.0.13 1813
radius-server type portal
undo radius-server user-name domain-included
radius-server traffic-unit kbyte
radius-server group login
#
info-center logbuffer channel 0
undo trap-statistics 70f2000
undo trap-statistics 70f2001
undo trap-statistics 70f2002
undo trap-statistics 70f2003
undo trap-statistics 70f2004
undo trap-statistics 70f2005
undo trap-statistics 70f2008
undo trap-statistics 70f2009
undo trap-statistics 70f200c
undo trap-statistics 70f200d
undo trap-statistics 70f200e
undo trap-statistics 70f200f
undo trap-statistics 70f2017
undo trap-statistics 70f2018
undo trap-statistics 70f201c
undo trap-statistics 70f201d
undo trap-statistics 7032000
undo trap-statistics 7032001
undo trap-statistics 7032002
#
interface Ethernet1
#
interface Ethernet1.0
ip address 172.16.0.108 255.255.255.0
#
interface Ethernet2
#
interface Ethernet2.0
ip address 192.168.0.16 255.255.255.0
#
interface Ethernet3
#
interface Ethernet4
#
interface Ethernet5
#
interface Ethernet6
#
interface Ethernet7
#
interface Ethernet8
#
interface Ethernet9
#
interface Ethernet10
#
interface Ethernet11
#
interface Ethernet12
#
interface Ethernet13
#
interface Ethernet14
#
interface Ethernet15
#
interface Ethernet16
#
interface Ethernet17
#
interface Ethernet18
#
interface Ethernet19
#
interface Ethernet20
#
interface Ethernet21
#
interface Ethernet22
#
interface Ethernet23
#
interface Ethernet24
#
interface GigabitEthernet25
#
interface GigabitEthernet26
#
interface NULL0
#
interface LoopBack0
#
interface Nm-Ethernet0
#
acl number 3001 match-order auto
rule 1 net-user permit ip source 192.168.0.13 0 destination 1
rule 0 user-net permit ip source 1 destination 192.168.0.13 0
rule 2 user-net deny ip source 1
#
l2tp-group 1
#
dot1x-template 1
#
aaa
authentication-scheme auth
accounting-scheme acct
domain default0
web-server 192.168.0.13
web-server url http://192.168.0.13/portal
ucl-group 1
domain isp
authentication-scheme auth
accounting-scheme acct
radius-server group cams
portal-server 192.168.0.13
#
local-aaa-server
local-accounting alarm-threshold flash 100
#
ip route-static 0.0.0.0 0.0.0.0 192.168.0.1
ip route-static 172.16.0.0 255.255.255.0 172.16.0.1
#
access-group 3001
#
user-interface con 0
user-interface vty 0 4
#
layer3-subscriber 172.16.0.1 172.16.0.254 domain-name default0
portvlan ethernet 1 vlan 0 1
access-type layer3-subscriber
default-domain authentication isp
portvlan ethernet 2 vlan 0 1
access-type interface
#
3 在CAMS配置台上配置Portal相关内容
这里只介绍Portal相关的配置项,其他基本配置项(如配置接入设备、配置服务、配置用户)请参考用户手册或软件帮助
3.1 在“Portal组件—>IP地址组”中增加需要进行认证的终端IP地址范围
3.2在“Portal组件—>设备信息”中增加Portal接入设备,也就是本例中的MA5200F的上行接口地址
3.3设备增加完毕之后,在设备信息管理页面可以看到刚才添加的设备条目,点击此条目末尾的“端口信息管理”按钮,填写Portal接入设备的相关详细信息,其中需要引用刚才已经建立的“IP地址组”
配置关键点:无
务必将终端所有访问外网的报文都重定向至MA5200F,这是此方案的关键所在。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作