SecPathF100-C80-WiNet接入认证问题
- 0关注
- 0收藏,115浏览
配置步骤
第1步:登录设备并进入系统视图
通过Web网管(WiNet)或命令行(CLI)登录设备,并进入配置模式。
<SecPath> system-view
[SecPath]第2步:创建本地用户
为需要认证的用户创建用户名和密码。您可以逐个创建,也可以配置一个默认的测试用户。
[SecPath] local-user admin class manage
[SecPath-luser-manage-admin] password simple YourPassword123 // simple表示明文密码,也可用cipher加密
[SecPath-luser-manage-admin] service-type web // 指定服务类型为Web(用于Portal)
[SecPath-luser-manage-admin] authorization-attribute user-role network-operator // 授予网络访问角色
[SecPath-luser-manage-admin] quit第3步:配置ISP域并绑定认证方法
创建一个认证域(如***.***),并指定认证、授权、计费的方法为本地。
[SecPath] domain name ***.***
[SecPath-isp-***.***] authentication login local
[SecPath-isp-***.***] authorization login local
[SecPath-isp-***.***] accounting login local
[SecPath-isp-***.***] quit第4步:配置Portal服务器
在防火墙上启用Portal认证服务,并设置一个虚拟的服务器。
[SecPath] portal local-server enable // 启用本地Portal服务器
[SecPath] portal local-server ip 192.168.1.1 // 指定Portal服务器的IP地址(通常是设备的内网接口IP)第5步:配置认证-Free规则
创建一个ACL(访问控制列表),用来匹配不需要认证就能访问的资源,例如Portal认证页面本身、DNS服务器等。这是为了避免认证死循环。
[SecPath] acl advanced 3000
[SecPath-acl-ipv4-adv-3000] rule 0 permit tcp destination 192.168.1.1 0 destination-port eq 80 // 允许访问设备本身的80端口(Portal页面)
[SecPath-acl-ipv4-adv-3000] rule 5 permit udp destination any destination-port eq 53 // 允许访问DNS(UDP 53端口)
[SecPath-acl-ipv4-adv-3000] quit第6步:在接口上应用Portal认证
进入连接内网的接口(例如GigabitEthernet1/0/1),将Portal认证应用在该接口的入方向。
[SecPath] interface GigabitEthernet 1/0/1
[SecPath-GigabitEthernet1/0/1] portal enable method layer3 // 启用三层Portal认证
[SecPath-GigabitEthernet1/0/1] portal apply local-server // 应用本地Portal服务器
[SecPath-GigabitEthernet1/0/1] portal free-rule 3000 // 引用第5步创建的免认证规则
[SecPath-GigabitEthernet1/0/1] portal domain ***.*** // 指定认证域
[SecPath-GigabitEthernet1/0/1] quit第7步:配置安全策略
这是最关键的一步,必须放行从内网区域到本地的安全策略,否则认证请求无法到达设备。
[SecPath] security-policy ip
[SecPath-security-policy-ip] rule name permit_portal_auth
[SecPath-security-policy-ip-1-permit_portal_auth] action pass
[SecPath-security-policy-ip-1-permit_portal_auth] source-zone trust // 内网区域
[SecPath-security-policy-ip-1-permit_portal_auth] destination-zone local // 设备本身所在区域
[SecPath-security-policy-ip-1-permit_portal_auth] quit
[SecPath-security-policy-ip] quit第8步:保存配置
[SecPath] save force验证与测试
完成配置后,内网用户尝试打开浏览器访问任意网页。
浏览器会自动重定向到Portal认证页面(URL通常是设备的内网IP,如
http://192.168.1.1)。用户在页面上输入第2步设置的用户名(
admin)和密码(YourPassword123)。认证通过后,用户即可正常上网。
其他认证方式建议
802.1X认证:安全性最高,但需要在每台电脑上安装客户端软件并进行配置。适用于对安全要求极高、且终端管理严格的环境。
MAC认证:设备识别终端的MAC地址进行认证。适合对打印机、IP电话等不易进行人机交互的设备进行认证。
外部服务器认证:如果您公司有AD域(Windows Active Directory),可以将防火墙与AD域对接,用户使用域账号密码即可登录。这需要更复杂的配置。
# version 7.1.064, Release 9660P52 # sysname Study # clock protocol none # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # dhcp enable # dns server 8.8.8.8 dns server 114.114.114.114 # password-recovery enable # vlan 1 # vlan 2 # dhcp server ip-pool ttt gateway-list 192.168.168.1 network 192.168.168.0 mask 255.255.255.0 dns-list 192.201.2.22 202.97.224.68 # controller Cellular1/0/0 # controller Cellular1/0/1 # interface NULL0 # interface Vlan-interface1 # interface Vlan-interface2 ip address 192.168.168.1 255.255.255.0 manage http inbound manage http outbound manage https inbound manage https outbound manage netconf-http inbound manage netconf-https inbound manage netconf-ssh inbound manage ping inbound manage ping outbound manage snmp inbound manage ssh inbound manage ssh outbound manage telnet inbound manage telnet outbound portal enable method layer3 portal domain system portal apply web-server local-server portal ipv4-max-user 200 # interface GigabitEthernet1/0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet1/0/4 port link-mode route # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route ip address dhcp-alloc # interface GigabitEthernet1/0/3 port link-mode bridge port access vlan 2 # interface GigabitEthernet1/0/5 port link-mode bridge port access vlan 2 # interface GigabitEthernet1/0/7 port link-mode bridge port access vlan 2 # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/1 import interface Vlan-interface2 import interface GigabitEthernet1/0/3 vlan 1 to 2 import interface GigabitEthernet1/0/5 vlan 2 import interface GigabitEthernet1/0/7 vlan 2 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/9 # security-zone name Management import interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/2 # scheduler logfile size 16 # line class aux user-role network-operator # line class console authentication-mode scheme user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 GigabitEthernet1/0/9 192.55.158.254 # performance-management # ssh server enable # arp ip-conflict log prompt arp static 192.168.168.3 2047-473b-4349 2 GigabitEthernet1/0/3 # acl advanced 3000 rule 0 permit tcp destination 192.168.168.1 0 destination-port eq www rule 5 permit tcp destination-port eq dns # radius session-control enable # domain system authentication login local authorization login local accounting login local authentication lan-access local authorization lan-access local accounting lan-access local authentication portal local authorization portal local accounting portal local # domain test authentication login local authorization login local accounting login local authentication lan-access local authorization lan-access local accounting lan-access local authentication portal local authorization portal local accounting portal local # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$IPZf0O7+mgqAlFoK$5donHZ6C74HBRt3FLXbI+iXclmnmX31UWE/EAF4YB10/rOPHglExtx/WofJFDc5/EZoOjzVS/ZpVpzFI2kL0ow== service-type ssh terminal https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user h3c class manage password hash $h$6$OjMesGmfmknMMHr5$NMJG1ITaJvPk5fKnoNAveX+kuhjBPtVxg5do6IqNx8ZGaPFxRRerHG2pox+wYUG5gWWSulwKNIBpvcbRI7kp2Q== service-type http https authorization-attribute user-role network-operator # ipsec logging negotiation enable # nat policy rule name test outbound-interface GigabitEthernet1/0/9 action easy-ip # ike logging negotiation enable # portal free-rule 1 destination ip 192.168.168.1 255.255.255.255 portal free-rule 2 destination ip 192.168.168.1 255.255.255.255 udp 53 portal free-rule 2000 acl 3000 # portal local-web-server http default-logon-page defaultfile.zip user-password modify enable # ip https enable # blacklist global enable # loadbalance isp file flash:/lbispinfo_v1.5.tp # user-identity enable # security-policy ip rule 1 name any action pass counting enable source-zone Trust destination-zone Local rule 0 name test action pass counting enable source-zone Trust source-zone Local # cloud-management server domain secops.h3c.com # return
我使用的设备软件 版本是7.1.064,Release 9660P52。您提供的有些命令都不适用。
第六步,引用第5步创建的ACL规则 ,没有这个portal free-rule 3000 命令。
解决方案一:直接在 portal free-rule中定义规则(老版本常用) 这是最传统的方式,不需要创建单独的ACL,而是将免认证规则直接写在 portal free-rule命令中。 # 进入连接内网的接口(例如GigabitEthernet1/0/1) [SecPath] interface GigabitEthernet 1/0/1 # 配置免认证规则,允许所有用户访问目的IP为192.168.1.1(设备本身)的HTTP流量 [SecPath-GigabitEthernet1/0/1] portal free-rule 0 destination ip 192.168.1.1 32 http # 配置免认证规则,允许所有用户访问任何DNS服务器(UDP 53端口) [SecPath-GigabitEthernet1/0/1] portal free-rule 1 destination ip any dns # 启用Portal认证并应用服务器 [SecPath-GigabitEthernet1/0/1] portal enable method layer3 [SecPath-GigabitEthernet1/0/1] portal apply local-server [SecPath-GigabitEthernet1/0/1] portal domain ***.*** [SecPath-GigabitEthernet1/0/1] quit 命令解释: free-rule 0: 0是规则编号。 destination ip 192.168.1.1 32 http: 表示目的IP是 192.168.1.1(设备接口IP),目的端口是 http(80)。 destination ip any dns: 表示目的IP是任何地址,目的端口是 dns(53)。 解决方案二:使用Service方案(新版本推荐方式) 这是在新版本Comware V7中更受推崇的方式,它通过创建一个“服务”模板来引用ACL规则,更加灵活。 第1步:创建高级ACL(不变) [SecPath] acl advanced 3000 [SecPath-acl-ipv4-adv-3000] rule 0 permit tcp destination 192.168.1.1 0 destination-port eq www [SecPath-acl-ipv4-adv-3000] rule 5 permit udp destination any destination-port eq domain [SecPath-acl-ipv4-adv-3000] quit 第2步:创建一条Service方案,并关联上一步创建的ACL 3000 [SecPath] portal free-rule service-name SSL_VPN_Free_Rule acl 3000 第3步:在接口下应用此Service方案 [SecPath] interface GigabitEthernet 1/0/1 [SecPath-GigabitEthernet1/0/1] portal free-rule service-name SSL_VPN_Free_Rule [SecPath-GigabitEthernet1/0/1] portal enable method layer3 [SecPath-GigabitEthernet1/0/1] portal apply local-server [SecPath-GigabitEthernet1/0/1] portal domain ***.*** [SecPath-GigabitEthernet1/0/1] quit 如何选择及验证? 首先尝试方案一:命令简单直接,在绝大多数情况下有效。 如果方案一中的命令也不支持(例如输入 destination后无法补全),则使用方案二。 使用问号 ?查看帮助:在配置时,输入 portal free-rule ?可以查看设备支持哪些参数,这是最准确的判断方法。 [SecPath-GigabitEthernet1/0/1] portal free-rule ? 验证配置:配置完成后,使用以下命令检查免认证规则是否配置成功: display portal free-rule all
# version 7.1.064, Release 9660P52 # sysname Study # clock protocol none # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # dhcp enable # dns server 8.8.8.8 dns server 114.114.114.114 # password-recovery enable # vlan 1 # vlan 2 # dhcp server ip-pool ttt gateway-list 192.168.168.1 network 192.168.168.0 mask 255.255.255.0 dns-list 192.201.2.22 202.97.224.68 # controller Cellular1/0/0 # controller Cellular1/0/1 # interface NULL0 # interface Vlan-interface1 # interface Vlan-interface2 ip address 192.168.168.1 255.255.255.0 manage http inbound manage http outbound manage https inbound manage https outbound manage netconf-http inbound manage netconf-https inbound manage netconf-ssh inbound manage ping inbound manage ping outbound manage snmp inbound manage ssh inbound manage ssh outbound manage telnet inbound manage telnet outbound portal enable method layer3 portal domain system portal apply web-server local-server portal ipv4-max-user 200 # interface GigabitEthernet1/0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet1/0/4 port link-mode route # interface GigabitEthernet1/0/6 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route ip address dhcp-alloc # interface GigabitEthernet1/0/3 port link-mode bridge port access vlan 2 # interface GigabitEthernet1/0/5 port link-mode bridge port access vlan 2 # interface GigabitEthernet1/0/7 port link-mode bridge port access vlan 2 # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/1 import interface Vlan-interface2 import interface GigabitEthernet1/0/3 vlan 1 to 2 import interface GigabitEthernet1/0/5 vlan 2 import interface GigabitEthernet1/0/7 vlan 2 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/9 # security-zone name Management import interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/2 # scheduler logfile size 16 # line class aux user-role network-operator # line class console authentication-mode scheme user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 GigabitEthernet1/0/9 192.55.158.254 # performance-management # ssh server enable # arp ip-conflict log prompt arp static 192.168.168.3 2047-473b-4349 2 GigabitEthernet1/0/3 # acl advanced 3000 rule 0 permit tcp destination 192.168.168.1 0 destination-port eq www rule 5 permit tcp destination-port eq dns # radius session-control enable # domain system authentication login local authorization login local accounting login local authentication lan-access local authorization lan-access local accounting lan-access local authentication portal local authorization portal local accounting portal local # domain test authentication login local authorization login local accounting login local authentication lan-access local authorization lan-access local accounting lan-access local authentication portal local authorization portal local accounting portal local # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$IPZf0O7+mgqAlFoK$5donHZ6C74HBRt3FLXbI+iXclmnmX31UWE/EAF4YB10/rOPHglExtx/WofJFDc5/EZoOjzVS/ZpVpzFI2kL0ow== service-type ssh terminal https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user h3c class manage password hash $h$6$OjMesGmfmknMMHr5$NMJG1ITaJvPk5fKnoNAveX+kuhjBPtVxg5do6IqNx8ZGaPFxRRerHG2pox+wYUG5gWWSulwKNIBpvcbRI7kp2Q== service-type http https authorization-attribute user-role network-operator # ipsec logging negotiation enable # nat policy rule name test outbound-interface GigabitEthernet1/0/9 action easy-ip # ike logging negotiation enable # portal free-rule 1 destination ip 192.168.168.1 255.255.255.255 portal free-rule 2 destination ip 192.168.168.1 255.255.255.255 udp 53 portal free-rule 2000 acl 3000 # portal local-web-server http default-logon-page defaultfile.zip user-password modify enable # ip https enable # blacklist global enable # loadbalance isp file flash:/lbispinfo_v1.5.tp # user-identity enable # security-policy ip rule 1 name any action pass counting enable source-zone Trust destination-zone Local rule 0 name test action pass counting enable source-zone Trust source-zone Local # cloud-management server domain secops.h3c.com # return
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明