华为 H3C 配置 Portal认证 mac-trigger快速认证 Mac无感知认证 Radius认证计费 对接 外部Portal认证计费系统 案例
介绍:
OpenPortal网络准入认证计费系统,支持用户名密码认证、短信认证、钉钉授权认证、微信认证、公众号认证、答题认证、视频倒计时认证、人脸识别认证、访客二维码授权认证、LDAP AD域结合认证、第三方OA系统扩展认证等等各种认证模式,支持二次代拨认证等技术,支持用户自助注册,自行选择计费套餐进行支付宝、微信自助缴费等。
支持与华为所有支持Portal认证的AC控制器如AC6005 AC6605等,以及所有支持Portal认证的三层交换机如S5700 S7606 7706 7703等,以及所有支持Portal认证的接入路由如华为AR-6280等,以及多业务网关BRAS如me60 ma5200等设备进行对接。
OpenPortal包含Portal协议认证系统+Radius AAA认证计费授权系统,支持CMCC V1 V2协议标准,华为Portal协议V1 V2等,支持Radius协议RFC2865,RFC2866标准,支持CMCC标准mac-trigger协议和mac auth标准的MAC优先的MAC快速认证、无感知认证,支持限速策略下发、ACL下发、ip-pool下发等一系列接入策略配置。
需求:
H3C-WX系列AC控制器可作为PPPoe拨号、专线连接的出口网关,并且该设备支持L2TP(拨号或者多拨动态IP网络环境下实现云认证计费服务部署模式),该设备支持mac-trigger协议的MAC快速无感知认证+Portal认证,支持CMCC协议模式和IMC协议模式,支持基于VAP限速和vcl策略下发应用。
具体拓扑如下:
设备配置:
******************************************************************************
* Copyright (c) 2004-2018 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
login: admin
Password:
<H3C-WX2510H>sys
System View: return to User View with Ctrl+Z.
[H3C-WX2510H]dis cur
#
version 7.1.064, Release 5226
#
sysname H3C-WX2510H
#
telnet server enable
#
dialer-group 1 rule ip permit
#
dhcp enable
#
password-recovery enable
#
vlan 1
#
vlan 100
#
vlan 200
#
dhcp server ip-pool wlan
gateway-list 172.16.0.1
network 172.16.0.0 mask 255.255.255.0
dns-list 114.114.114.114 202.98.192.67
forbidden-ip 172.16.0.1
forbidden-ip 172.16.0.10
#
interface Dialer0
ppp chap password cipher $c$3$MnsrYXKEg3UAugDLYToYM+rvweSIr2YBdw==
ppp chap user 0851xxxxxxxx
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 60
ip address ppp-negotiate
nat outbound
#
interface Virtual-PPP1
ppp chap password cipher $c$3$hgiYV2peyVHqfHszwP0PeYvpne1lIQ==
ppp chap user xxxxxxxx
ip address ppp-negotiate
l2tp-auto-client l2tp-group 1
#
interface NULL0
#
interface Vlan-interface100
ip address 192.168.0.20 255.255.255.0
nat outbound
undo dhcp select server
#
interface Vlan-interface200
ip address 172.16.0.1 255.255.255.0
dhcp server apply ip-pool wlan
portal enable method direct
portal domain v5
portal bas-ip 10.0.0.100
portal fail-permit server v5
portal apply web-server v5
portal apply mac-trigger-server v5
portal fail-permit web-server
portal outbound-filter enable
#
interface GigabitEthernet1/0/5
port link-mode route
description wan
shutdown
pppoe-client dial-bundle-number 0
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 200 untagged
port hybrid pvid vlan 200
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 100
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 100
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 100
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 31
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 192.168.0.254
ip route-static 0.0.0.0 0 Dialer0 preference 100
ip route-static 10.0.0.1 32 Virtual-PPP1
#
undo info-center logfile enable
#
acl advanced 3000
rule 0 deny ip destination 114.114.114.114 0
rule 10 permit ip
#
radius session-control enable
radius nas-ip 192.168.0.20
#
radius scheme portal
primary authentication 192.168.0.1
primary accounting 192.168.0.1
key authentication cipher $c$3$luljjvSNrw/TiOjAFHbig+9EmAtbbSy/Ow==
key accounting cipher $c$3$2QBlzJAD/HaBi3qkXtkZ5aqfSXwq6eVObg==
timer realtime-accounting 5
user-name-format without-domain
nas-ip 192.168.0.20
#
radius scheme v5
primary authentication 10.0.0.1
primary accounting 10.0.0.1
key authentication cipher $c$3$gkLbvh+cFPOjtAYvqTzGIpQDlUkUqFTtww==
key accounting cipher $c$3$1G2kuCiURMD6ywMsvhnznS3K8KIVYhViRQ==
timer realtime-accounting 5
user-name-format without-domain
nas-ip 10.0.0.100
#
radius dynamic-author server
client ip 192.168.0.1 key cipher $c$3$ZritD/wSB3Dx8xkoJqDXOuuc0izCVlfsvQ==
client ip 10.0.0.1 key cipher $c$3$imaB4mamtOkg0YB8nPzyA6RJ0HJg5htCYA==
#
domain portal
authorization-attribute idle-cut 600 10240
authentication portal radius-scheme portal
authorization portal radius-scheme portal
accounting portal radius-scheme portal
#
domain system
#
domain v5
authorization-attribute idle-cut 600 10240
authentication portal radius-scheme v5
authorization portal radius-scheme v5
accounting portal radius-scheme v5
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$V6l15zHsaTdPV4Et$mYd9zqUrfLD/gay4+cnAkQGdlh0BbYKYWgVNgVGR9IL9CwR5ueibOiXVom1E5/ZbZMR7tEHpz2Iil+0tcj3CIw==
service-type telnet http https
authorization-attribute user-role network-admin
#
l2tp-group 1 mode lac
lns-ip 39.108.188.100
undo tunnel authentication
#
l2tp enable
#
portal nas-port-id format 4
portal host-check enable
portal free-rule 0 source ip 192.168.0.1 255.255.255.255 destination ip any
portal free-rule 1 source ip any destination ip 192.168.0.1 255.255.255.255
portal free-rule 10 source ip 114.114.114.114 255.255.255.255 destination ip any
portal free-rule 11 source ip any destination ip 114.114.114.114 255.255.255.255
portal free-rule 12 source ip 118.118.118.9 255.255.255.255 destination ip any
portal free-rule 13 source ip any destination ip 118.118.118.9 255.255.255.255
portal free-rule 14 source ip 118.118.118.7 255.255.255.255 destination ip any
portal free-rule 15 source ip any destination ip 118.118.118.7 255.255.255.255
portal free-rule 16 source ip 202.98.198.167 255.255.255.255 destination ip any
portal free-rule 17 source ip any destination ip 202.98.198.167 255.255.255.255
portal free-rule 18 source ip 202.98.192.67 255.255.255.255 destination ip any
portal free-rule 19 source ip any destination ip 202.98.192.67 255.255.255.255
portal free-rule 20 source ip 39.108.188.100 255.255.255.255 destination ip any
portal free-rule 21 source ip any destination ip 39.108.188.100 255.255.255.255
#
portal web-server portal
url http://192.168.0.1/html_phone_all/index.html
server-detect interval 60 retry 2 trap
server-type cmcc
url-parameter basip value 192.168.0.20
url-parameter mac source-mac
url-parameter url original-url
url-parameter vlan vlan
url-parameter wlanuserip source-address
#
portal web-server v5
url https://portal.openportal.com.cn/index_choose
server-type cmcc
url-parameter basip value 10.0.0.100
url-parameter mac source-mac
url-parameter url original-url
url-parameter vlan vlan
url-parameter wlanuserip source-address
#
portal server portal
ip 192.168.0.1 key cipher $c$3$btxt8S1jS5tOQlrl+xVpvuaJFUJJLITTlg==
server-detect trap
server-type cmcc
#
portal server v5
ip 10.0.0.1 key cipher $c$3$Tru54pt2cHm4xVo17Vl+bdJ3epbN6GO3Vw==
server-type cmcc
#
ip http enable
ip https enable
#
portal mac-trigger-server portal
ip 192.168.0.1 key cipher $c$3$T6WO1a9vipUaJJbV6jZgkSAFnKnxJTvJEA==
server-type cmcc
binding-retry 1
aaa-fail nobinding enable
#
portal mac-trigger-server v5
ip 10.0.0.1 key cipher $c$3$gT5/4cnmESqMniE2zxUQlu2sKswhntmM7A==
server-type cmcc
binding-retry 1
aaa-fail nobinding enable
#
wlan global-configuration
#
wlan ap-group default-group
vlan 1
#
return