H3C对接外部Portal认证+Radius认证计费系统平台
实现基于mac-trigger快速认证协议的Mac无感知认证功能
并结合L2TP实现阿里云部署
实现AD域LDAP对接,实现用户名密码实名认证、访客短信认证、二维码扫码认证、钉钉授权认证、来宾身份证刷卡快速开户,双因子、多因子认证等功能
需求:
H3C-WX2510H可作为PPPoe拨号、专线连接的出口网关,并且该设备支持L2TP(拨号或者多拨动态IP网络环境下实现云认证计费服务部署模式),该设备支持mac-trigger协议的MAC快速无感知认证+Portal认证,支持CMCC协议模式和IMC协议模式,支持基于VAP限速和vcl策略下发应用。
具体拓扑如下:
设备配置: ****************************************************************************** * Copyright (c) 2004-2018 New H3C Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ******************************************************************************
login: admin Password: <H3C-WX2510H>sys System View: return to User View with Ctrl+Z. [H3C-WX2510H]dis cur # version 7.1.064, Release 5226 # sysname H3C-WX2510H # telnet server enable # dialer-group 1 rule ip permit # dhcp enable # password-recovery enable # vlan 1 # vlan 100 # vlan 200 # dhcp server ip-pool wlan gateway-list 172.16.0.1 network 172.16.0.0 mask 255.255.255.0 dns-list 114.114.114.114 202.98.192.67 forbidden-ip 172.16.0.1 forbidden-ip 172.16.0.10 # interface Dialer0 ppp chap password cipher $c$3$MnsrYXKEg3UAugDLYToYM+rvweSIr2YBdw== ppp chap user 0851xxxxxxxx dialer bundle enable dialer-group 1 dialer timer idle 0 dialer timer autodial 60 ip address ppp-negotiate nat outbound # interface Virtual-PPP1 ppp chap password cipher $c$3$hgiYV2peyVHqfHszwP0PeYvpne1lIQ== ppp chap user xxxxxxxx ip address ppp-negotiate l2tp-auto-client l2tp-group 1 # interface NULL0 # interface Vlan-interface100 ip address 192.168.0.20 255.255.255.0 nat outbound undo dhcp select server # interface Vlan-interface200 ip address 172.16.0.1 255.255.255.0 dhcp server apply ip-pool wlan portal enable method direct portal domain v5 portal bas-ip 10.0.0.100 portal fail-permit server v5 portal apply web-server v5 portal apply mac-trigger-server v5 portal fail-permit web-server portal outbound-filter enable # interface GigabitEthernet1/0/5 port link-mode route description wan shutdown pppoe-client dial-bundle-number 0 # interface GigabitEthernet1/0/1 port link-mode bridge port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 200 untagged port hybrid pvid vlan 200 # interface GigabitEthernet1/0/2 port link-mode bridge port access vlan 100 # interface GigabitEthernet1/0/3 port link-mode bridge port access vlan 100 # interface GigabitEthernet1/0/4 port link-mode bridge port access vlan 100 # scheduler logfile size 16 # line class console user-role network-admin # line class vty user-role network-operator # line con 0 user-role network-admin # line vty 0 31 authentication-mode scheme user-role network-operator # ip route-static 0.0.0.0 0 192.168.0.254 ip route-static 0.0.0.0 0 Dialer0 preference 100 ip route-static 10.0.0.1 32 Virtual-PPP1 # undo info-center logfile enable # acl advanced 3000 rule 0 deny ip destination 114.114.114.114 0 rule 10 permit ip # radius session-control enable radius nas-ip 192.168.0.20 # radius scheme portal primary authentication 192.168.0.1 primary accounting 192.168.0.1 key authentication cipher $c$3$luljjvSNrw/TiOjAFHbig+9EmAtbbSy/Ow== key accounting cipher $c$3$2QBlzJAD/HaBi3qkXtkZ5aqfSXwq6eVObg== timer realtime-accounting 5 user-name-format without-domain nas-ip 192.168.0.20 # radius scheme v5 primary authentication 10.0.0.1 primary accounting 10.0.0.1 key authentication cipher $c$3$gkLbvh+cFPOjtAYvqTzGIpQDlUkUqFTtww== key accounting cipher $c$3$1G2kuCiURMD6ywMsvhnznS3K8KIVYhViRQ== timer realtime-accounting 5 user-name-format without-domain nas-ip 10.0.0.100 # radius dynamic-author server client ip 192.168.0.1 key cipher $c$3$ZritD/wSB3Dx8xkoJqDXOuuc0izCVlfsvQ== client ip 10.0.0.1 key cipher $c$3$imaB4mamtOkg0YB8nPzyA6RJ0HJg5htCYA== # domain portal authorization-attribute idle-cut 600 10240 authentication portal radius-scheme portal authorization portal radius-scheme portal accounting portal radius-scheme portal # domain system # domain v5 authorization-attribute idle-cut 600 10240 authentication portal radius-scheme v5 authorization portal radius-scheme v5 accounting portal radius-scheme v5 # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$V6l15zHsaTdPV4Et$mYd9zqUrfLD/gay4+cnAkQGdlh0BbYKYWgVNgVGR9IL9CwR5ueibOiXVom1E5/ZbZMR7tEHpz2Iil+0tcj3CIw== service-type telnet http https authorization-attribute user-role network-admin # l2tp-group 1 mode lac lns-ip 39.108.188.100 undo tunnel authentication # l2tp enable # portal nas-port-id format 4 portal host-check enable portal free-rule 0 source ip 192.168.0.1 255.255.255.255 destination ip any portal free-rule 1 source ip any destination ip 192.168.0.1 255.255.255.255 portal free-rule 10 source ip 114.114.114.114 255.255.255.255 destination ip any portal free-rule 11 source ip any destination ip 114.114.114.114 255.255.255.255 portal free-rule 12 source ip 118.118.118.9 255.255.255.255 destination ip any portal free-rule 13 source ip any destination ip 118.118.118.9 255.255.255.255 portal free-rule 14 source ip 118.118.118.7 255.255.255.255 destination ip any portal free-rule 15 source ip any destination ip 118.118.118.7 255.255.255.255 portal free-rule 16 source ip 202.98.198.167 255.255.255.255 destination ip any portal free-rule 17 source ip any destination ip 202.98.198.167 255.255.255.255 portal free-rule 18 source ip 202.98.192.67 255.255.255.255 destination ip any portal free-rule 19 source ip any destination ip 202.98.192.67 255.255.255.255 portal free-rule 20 source ip 39.108.188.100 255.255.255.255 destination ip any portal free-rule 21 source ip any destination ip 39.108.188.100 255.255.255.255 # portal web-server portal url http://192.168.0.1/html_phone_all/index.html server-detect interval 60 retry 2 trap server-type cmcc url-parameter basip value 192.168.0.20 url-parameter mac source-mac url-parameter url original-url url-parameter vlan vlan url-parameter wlanuserip source-address # portal web-server v5 url https://portal.openportal.com.cn/index_choose server-type cmcc url-parameter basip value 10.0.0.100 url-parameter mac source-mac url-parameter url original-url url-parameter vlan vlan url-parameter wlanuserip source-address # portal server portal ip 192.168.0.1 key cipher $c$3$btxt8S1jS5tOQlrl+xVpvuaJFUJJLITTlg== server-detect trap server-type cmcc # portal server v5 ip 10.0.0.1 key cipher $c$3$Tru54pt2cHm4xVo17Vl+bdJ3epbN6GO3Vw== server-type cmcc # ip http enable ip https enable # portal mac-trigger-server portal ip 192.168.0.1 key cipher $c$3$T6WO1a9vipUaJJbV6jZgkSAFnKnxJTvJEA== server-type cmcc binding-retry 1 aaa-fail nobinding enable # portal mac-trigger-server v5 ip 10.0.0.1 key cipher $c$3$gT5/4cnmESqMniE2zxUQlu2sKswhntmM7A== server-type cmcc binding-retry 1 aaa-fail nobinding enable # wlan global-configuration # wlan ap-group default-group vlan 1 #
return 介绍:
OpenPortal网络准入认证计费,支持与H3C所有支持Portal认证的AC控制器如WX2510H WX3540H WX6108等,以及所有支持Portal认证的三层交换机如S12708 S5560 7506 7706等,以及所有支持Portal认证的接入路由防火墙H3C ICG2000B,以及多业务网关BRAS设备进行对接。
包含Portal协议认证系统+Radius AAA认证计费授权系统,支持CMCC V1 V2协议标准,华为Portal协议V1 V2等,支持Radius协议RFC2865,RFC2866标准,支持CMCC标准mac-trigger协议和mac auth标准的MAC优先的MAC快速认证、无感知认证,支持限速策略下发、ACL下发、ip-pool下发等一系列接入策略配置,支持同H3C设备、华为设备间Portal心跳检测保活机及逃生功能。
支持用户名密码认证、短信认证、钉钉授权认证、微信认证、公众号认证、答题认证、视频倒计时认证、人脸识别认证、访客二维码授权认证、LDAP AD域结合认证、第三方OA系统扩展认证等等各种认证模式,支持二次代拨认证等技术,支持用户自助注册,自行选择计费套餐进行支付宝、微信自助缴费等。
H3C-WX2510H系列AC控制器对接第三方portal认证可看下述文章
H3C-WX2510H对接OpenPortal网络准入认证计费系统实现Mac快速认证+Portal认证_OpenPortal网络接入Web认证-CSDN博客
华为AC6605系列AC控制器对接第三方portal认证可看下述文章
华为AC6605对接OpenPortal网络准入认证计费系统实现Mac快速认证+Portal认证_OpenPortal网络接入Web认证-CSDN博客
|