开启辅助访问 设为首页     收藏本站     HTTPS安全访问
 找回密码
 立即注册

H3C防火墙对接OpenPortal实现Mac快速认证+Portal认证

admin 回复:0 | 查看:13636 | 发表于 2017-9-3 20:37:22 |阅读模式 |复制链接
H3C 防火墙对接OpenPortal实现Mac快速认证+Portal认证

******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************

login: admin
Password:
<CRLF215>sys
System View: return to User View with Ctrl+Z.
[CRLF215]dis cur
#
version 7.1.064, Release 9313P15
#
sysname CRLF215
#
clock timezone Beijing add 08:00:00
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 32
irf member 2 priority 1
#
security-zone intra-zone default permit
#
ip unreachables enable
ip ttl-expires enable
#
nat address-group 1
address 183.230.204.41 183.230.204.42
#
dhcp enable
#
dns proxy enable
dns server 218.201.4.3
dns server 114.114.114.114
dns server 61.128.192.68
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
vlan 7
description DMZ_LINK
#
vlan 1101
description WIFI_GUEST
#
irf-port 1/1
port group interface GigabitEthernet1/0/22
port group interface GigabitEthernet1/0/23
#
irf-port 2/2
port group interface GigabitEthernet2/0/22
port group interface GigabitEthernet2/0/23
#
object-group ip address 192.168.206.3/255.255.255.255
0 network host address 192.168.206.3
#
object-group ip address 222.180.160.38/255.255.255.252
0 network subnet 222.180.160.36 255.255.255.252
#
dhcp server ip-pool free_wifi
gateway-list 192.168.63.254
network 192.168.0.0 mask 255.255.192.0
address range 192.168.0.1 192.168.63.252
dns-list 192.168.63.254 114.114.114.114
expired day 0 hour 10
#
nqa template icmp chinanet_icmp
destination ip 222.180.160.37
#
nqa template icmp cmcc_ha
destination ip 183.230.204.1
#
interface Reth1
#
interface Reth2
#
interface Bridge-Aggregation15
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 7 to 8 1101
link-aggregation mode dynamic
#
interface Route-Aggregation1
description CMCC
bandwidth 980000
ip address 183.230.204.44 255.255.255.0
link-aggregation mode dynamic
nat outbound 2000
nat server protocol tcp global current-interface 13389 inside 192.168.60.2 3389
nat hairpin enable
#
interface Route-Aggregation2
description CHINA_NET
bandwidth 90000
ip address 222.180.160.38 255.255.255.252
link-aggregation mode dynamic
nat outbound 2001
#
interface NULL0
#
interface Vlan-interface7
description DMZ_LINK
ip address 192.168.206.253 255.255.255.0
#
interface Vlan-interface1101
description WIFI_GUEST
ip address 192.168.63.254 255.255.192.0
dhcp server apply ip-pool free_wifi
portal enable method direct
portal domain shinkong
portal bas-ip 192.168.63.254
portal apply web-server openportal
portal apply mac-trigger-server openportal
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 10.132.99.215 255.255.254.0
#
interface GigabitEthernet1/0/1
port link-mode route
port link-aggregation group 1
#
interface GigabitEthernet1/0/2
port link-mode route
port link-aggregation group 2
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/12
port link-mode route
#
interface GigabitEthernet1/0/13
port link-mode route
#
interface GigabitEthernet1/0/14
port link-mode route
#
interface GigabitEthernet1/0/16
port link-mode route
#
interface GigabitEthernet1/0/17
port link-mode route
#
interface GigabitEthernet1/0/18
port link-mode route
#
interface GigabitEthernet1/0/19
port link-mode route
#
interface GigabitEthernet1/0/20
port link-mode route
#
interface GigabitEthernet1/0/21
port link-mode route
#
interface GigabitEthernet2/0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet2/0/1
port link-mode route
shutdown
port link-aggregation group 1
#
interface GigabitEthernet2/0/2
port link-mode route
port link-aggregation group 2
#
interface GigabitEthernet2/0/3
port link-mode route
#
interface GigabitEthernet2/0/4
port link-mode route
#
interface GigabitEthernet2/0/5
port link-mode route
#
interface GigabitEthernet2/0/6
port link-mode route
#
interface GigabitEthernet2/0/7
port link-mode route
#
interface GigabitEthernet2/0/8
port link-mode route
#
interface GigabitEthernet2/0/9
port link-mode route
#
interface GigabitEthernet2/0/10
port link-mode route
#
interface GigabitEthernet2/0/11
port link-mode route
#
interface GigabitEthernet2/0/12
port link-mode route
#
interface GigabitEthernet2/0/13
port link-mode route
#
interface GigabitEthernet2/0/14
port link-mode route
shutdown
#
interface GigabitEthernet2/0/16
port link-mode route
#
interface GigabitEthernet2/0/17
port link-mode route
#
interface GigabitEthernet2/0/18
port link-mode route
#
interface GigabitEthernet2/0/19
port link-mode route
#
interface GigabitEthernet2/0/20
port link-mode route
#
interface GigabitEthernet2/0/21
port link-mode route
#
interface GigabitEthernet1/0/15
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 7 to 8 1101
port link-aggregation group 15
#              
interface GigabitEthernet2/0/15
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 7 to 8 1101
port link-aggregation group 15
#
interface GigabitEthernet1/0/22
#
interface GigabitEthernet1/0/23
#
interface GigabitEthernet2/0/22
#
interface GigabitEthernet2/0/23
#
object-policy ip DMZ-Local
rule 0 pass
#
object-policy ip DMZ-Trust
rule 0 pass
rule 0 comment portaló?·??í?¥í¨
#
object-policy ip Local-DMZ
rule 0 pass
#
object-policy ip Local-Untrust
rule 0 pass
#
object-policy ip Permit-Any
rule 1 pass
rule 1 comment 1üàí?±êy?Yí¨μà
#
object-policy ip Trust-DMZ
rule 0 pass
rule 0 comment portaló?·??í?¥í¨
#
object-policy ip Untrust-Local
rule 0 pass
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1101
import interface Bridge-Aggregation15 vlan 1101
import interface GigabitEthernet1/0/15 vlan 1101
import interface GigabitEthernet2/0/15 vlan 1101
#
security-zone name DMZ
import interface Vlan-interface7
import interface Bridge-Aggregation15 vlan 7
import interface GigabitEthernet1/0/15 vlan 7
import interface GigabitEthernet2/0/15 vlan 7
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/2
import interface GigabitEthernet2/0/1
import interface GigabitEthernet2/0/2
import interface Route-Aggregation1
import interface Route-Aggregation2
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet2/0/0
#
zone-pair security source DMZ destination Local
object-policy apply ip DMZ-Local
#
zone-pair security source DMZ destination Trust
object-policy apply ip DMZ-Trust
#
zone-pair security source Local destination DMZ
object-policy apply ip Local-DMZ
#
zone-pair security source Local destination Trust
object-policy apply ip Permit-Any
packet-filter 3000
#
zone-pair security source Local destination Untrust
object-policy apply ip Local-Untrust
#
zone-pair security source Trust destination DMZ
object-policy apply ip Trust-DMZ
#
zone-pair security source Trust destination Local
object-policy apply ip Permit-Any
packet-filter 3000
#
zone-pair security source Trust destination Untrust
packet-filter 3000
#
zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local
#
zone-pair security source Untrust destination Trust
packet-filter 3000
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line aux 1
user-role network-operator
#
line con 0 1   
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 183.230.204.1
ip route-static 0.0.0.0 0 222.180.160.37
ip route-static 10.132.0.0 16 10.132.99.254
ip route-static 10.202.0.0 16 10.132.99.254
#
snmp-agent
snmp-agent local-engineid 800063A2801CAB3497BA0A00000001
snmp-agent community write private
snmp-agent community read public
snmp-agent community read singkong_read
snmp-agent sys-info contact JSHZX Tech. Co.0512-65155382
snmp-agent sys-info location ChongQing
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 10.132.100.31 params securityname public v2c
#
ssh server enable
#
ntp-service enable
ntp-service unicast-server 10.132.100.31
ntp-service unicast-server 140.112.2.189
#
acl basic 2000
description NAT_MOBILE
rule 0 permit source 192.168.0.0 0.0.255.255
#
acl basic 2001
rule 0 permit source 192.168.0.0 0.0.255.255
#
acl basic 2005
rule 0 permit source 192.168.25.140 0
#
acl advanced 3000
rule 0 permit ip
#
acl advanced 3001
#
attack-defense login enable
attack-defense login reauthentication-delay 5
#              
radius session-control enable
#
radius scheme openportal
primary authentication 192.168.206.3 key cipher $c$3$ami5c7GwnmdC8yLyLlUcDl/h3SoAzJjXiwk09g==
primary accounting 192.168.206.3 key cipher $c$3$xsrF//410DtGAwQpWE39d4D8XKdv/hOLoo76dg==
timer realtime-accounting 5
user-name-format without-domain
nas-ip 192.168.63.254
attribute 25 car
attribute remanent-volume unit byte
#
domain shinkong
authentication portal radius-scheme openportal
authorization portal radius-scheme openportal
accounting portal radius-scheme openportal
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#              
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user Admin class manage
password hash $h$6$9S8H/JVKXUVIjEP8$SFhsJMhQ+1ACBOZCnvCrKjAA4ANBLjPqiXa+SpCuaGGnz2V9eXJKV0YLRnazuOFkXVbvRT/Zj2UKWUWL9ZY6nQ==
service-type ftp
service-type ssh telnet terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user admin class manage
password hash $h$6$4ZzWSR7bFoVhyhrt$HTMnJUfUNp+H/MG6eDwGwITYDb6CK1gLO7wwKMnnYau0t36Zi3xO58+ReUpfjQH1jz8IMPfywPoZM1Emu7dgWw==
service-type ftp
service-type ssh telnet terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user root class manage
password hash $h$6$JxG/cDPhkOieCebc$IN4ehNjrzqjdqjlb/SqPM5//Vj7M0PYnw/bfHZz42KBI4KX5IV5/qBbLfm8W8AT6UrE6cgy+fpoubOoEujOknA==
service-type ftp
service-type ssh telnet terminal http https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#              
local-user system.3010 class manage
password hash $h$6$VlYrQSDakwXc19G0$Ckw1XrAW7Rf0SXQnql8kHwdZvI6eDcRSfn6hYLDWyQ33PvmielP9VnoNz3Hk4WIfnq+Y4ik2jNfe+LIVuHDMNA==
service-type ftp
service-type ssh telnet terminal
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user user class manage
password hash $h$6$KByxYzANLOUSFAqO$PCzO38sMyyXpK0gjBD5bQY06cNBYSJB6LbhYD7mdM8ER9GXxmumDRPdhKI3v10UrLux09p3xGaeC/mS3eeOMnw==
service-type ssh telnet terminal
authorization-attribute user-role guest-manager
authorization-attribute user-role network-operator
#
local-user admin class network
password cipher $c$3$kQVhd9soXrZlXSle0Lmdht8B4UHO44UBdfpD
service-type sslvpn
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group SSL
#
ftp server enable
#
session top-statistics enable
session synchronization enable asymmetric
session synchronization dns http
#
ipsec redundancy enable
#
portal roaming enable
portal device-id CRLF215
undo portal refresh arp enable
portal free-rule 0 destination ip 192.168.206.3 255.255.255.255
portal free-rule 1 destination ip 114.114.114.114 255.255.255.255
portal free-rule 2 destination ip 192.168.63.254 255.255.255.255
portal free-rule 3 destination ip 192.168.206.253 255.255.255.255
portal free-rule 4 destination ip 218.201.4.3 255.255.255.255
portal free-rule 5 destination ip 218.201.17.2 255.255.255.255
portal free-rule 6 source ip 192.168.63.254 255.255.255.255
portal free-rule 7 source ip 192.168.206.3 255.255.255.255 destination ip any
portal free-rule 8 source ip any destination ip 192.168.206.3 255.255.255.255
portal free-rule 9 source ip 192.168.206.253 255.255.255.255 destination ip any
portal free-rule 10 source ip any destination ip 192.168.206.253 255.255.255.255
portal free-rule 11 source ip 192.168.60.2 255.255.255.255 tcp 3389
portal free-rule 20 source ip 183.213.19.179 255.255.255.255 destination ip any
portal free-rule 21 source ip any destination ip 183.213.19.179 255.255.255.255
portal free-rule 50 source mac 0028-f80d-8847
portal free-rule 51 source mac 000a-f571-aa98
portal free-rule 52 source mac c0ee-fbf1-031e
portal free-rule 54 source mac 9465-2d9d-a795
#
portal web-server openportal
url http://192.168.206.3/html_xgtd/portal.html
server-type cmcc
url-parameter mac source-mac
url-parameter wlanuserip source-address
#
portal server openportal
ip 192.168.206.3 key cipher $c$3$DqJLCqZ+yHuZvjK2zZBZb7j/Tsh2ClUaGrAegA==
server-type cmcc
#
portal mac-trigger-server openportal
ip 192.168.206.3
server-type cmcc
binding-retry 1
#
ip http enable
ip https enable
#
blacklist ip 2.86.117.69
blacklist ip 24.122.31.40
blacklist ip 45.116.114.41
blacklist ip 94.52.199.54
blacklist ip 104.60.115.85
blacklist ip 115.159.88.116
blacklist ip 115.249.117.176
blacklist ip 130.0.25.92
blacklist ip 182.43.106.33
blacklist ip 194.135.89.47
blacklist ip 198.98.85.19
#
sticky-group sip type address-port
ip port source
#
loadbalance link-group dianxin
fail-action reset
transparent enable
probe icmp
#
loadbalance link-group yidong
fail-action reset
transparent enable
probe icmp
#              
loadbalance class dianxin type link-generic match-any
match 1 isp chinatel
#
loadbalance class yidong type link-generic match-any
match 1 isp cmcc
#
loadbalance action ##defaultactionforllbipv4##%%autocreatedbyweb%% type link-generic
forward all
#
loadbalance action ob$action$#for#dianxin type link-generic
link-group dianxin sticky sip
fallback-action continue
#
loadbalance action ob$action$#for#yidong type link-generic
link-group yidong sticky sip
fallback-action continue
#
loadbalance policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% type link-generic
class yidong action ob$action$#for#yidong
class dianxin action ob$action$#for#dianxin
default-class action ##defaultactionforllbipv4##%%autocreatedbyweb%%
#
virtual-server ##defaultvsforllbipv4##%%autocreatedbyweb%% type link-ip
virtual ip address 0.0.0.0 0
lb-policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%%
service enable
connection-sync enable
sticky-sync enable
bandwidth busy-protection enable
bandwidth interface statistics enable
#
loadbalance isp file lbispinfo.tp
#
loadbalance link dianxin
router ip 222.180.160.37
link-group dianxin
probe chinanet_icmp
#
loadbalance link yidong
router ip 183.230.204.1
link-group yidong
probe cmcc_ha
#
traffic-policy
profile name 01
  bandwidth downstream guaranteed 1070000
  bandwidth downstream maximum 1080000
  bandwidth upstream guaranteed 1070000
  bandwidth upstream maximum 1080000
  traffic-priority 4
  bandwidth upstream maximum per-ip 10000
  bandwidth downstream maximum per-ip 10000
#
sslvpn ip address-pool ssl 172.16.255.2 172.16.255.5
#
sslvpn gateway SSL_CHINANET
ip address 222.180.160.38 port 8888
service enable
#
sslvpn gateway SSL_CMCC
ip address 183.230.204.44 port 8000
service enable
#
sslvpn context SSL
gateway SSL_CHINANET
gateway SSL_CMCC
ip-tunnel address-pool ssl mask 255.255.255.0
ip-route-list SSL
  include 10.132.100.25 255.255.255.255
  include 10.132.100.31 255.255.255.255
url-list WEB
  heading IMC
  url AC url-value 10.132.100.25/web/frame/login.html
  url IMC url-value 10.132.100.31:8080/imc/login.xhtml
  url sangfor url-value https://10.132.99.217
policy-group SSL
  filter ip-tunnel 3000
  filter web-access 3000
  ip-tunnel access-route ip-route-list SSL
  resources url-list WEB
default-policy-group SSL
service enable
#
ips policy default
#
anti-virus policy default
#
anti-virus signature auto-update
update schedule daily start-time 03:01:00 tingle 120
#
return
[CRLF215]

回复

使用道具 举报

登录 发布 快速回复 返回顶部 返回列表