Ruijie Community

Title: How to configure web authentication on the Ruijie switch? [Print this page]

Author: zhangqiao@ruiji Time: 2024-8-29 16:41
Title: How to configure web authentication on the Ruijie switch?
Networking requirements

1. Customers can use common browser software for access authentication, and there is no need to install other client authentication software.
2. When an unauthenticated user accesses the Internet, the device forces the user to log in to a specific site, where the user can access the services for free.
3. When the user needs to use other information inthe Internet, they must be authenticated in the Web authentication server, only after the authentication can use Internet resources.
4. Charge authenticated users.
5. Users do not need authentication to accessrelated servers
6. You can set authentication-free users (srcMac),users can use Internet resources without authentication restrictions.
7. You can set authentication-free users (srcIP, including the management IP address of the next connected switch), and you canuse Internet resources without authentication restrictions on users.
8. Configure seamless online for authentication users
9.Prevent arp spoofing
Network topology

3.Configuration key steps
Core switch configuration
1. Configure the aaa function
2. Configure the web redirection page and web authentication redirection server (eportal server).
3. Set authentication exemption user (srcIP) -----> Note: The connected NMS switch needs to be managed  and set as an authentication exemption user.
4. Set Authentication Exemption User (srcMAC) (optional)
5. Support detection based on user traffic (optional, selected according to customerdemand)
Key points of connecting to the switch
Downlink switches configuration:
1. Anti-attack Settings
  1) Prevent arpspoofing
  2), anti-DHCPspoofing
2. Prevent loop Settings
Eportal server configuration key steps
Add device
4.Configuration steps:
Core switch configuration:
1. Configurethe aaa function

Ruijie#configure

Ruijie(config)#aaa new-model

Ruijie(config)#radius-server host 17.17.1.5 keyruijie

ruijie (config)#aaa authentication web-authruijie-1 group radius ------> Create an authentication list with the nameruijie-1

ruijie (config)#aaa accounting network ruijie-2start-stop group radius ------> Create the accounting list. The name of thelist is ruijie-2

2. Configuring the web redirection page and web authentication redirection server (eportal server)

Ruijie(config)#web-auth template eportalv2

Ruijie(config.tmplt.eportal v2)#ip 17.17.1.6

Ruijie(config.tmplt.eportal v2)#exit

Ruijie(config)#web-auth portal key ruijie------> Configure the key for the authentication device to communicate with the authentication server

Ruijie(config)#web-auth template eportalv2

Ruijie (config. TMPLT. Eportalv2) # urlhttp://17.17.1.6/eportal/index.jsp

ruijie (config.tmplt.eportalv2)#authenticationruijie-1 ------> request authentication list

ruijie (config.tmplt.eportalv2)#accounting ruijie-2------> request the billing list

Ruijie(config.tmplt.eportalv2)#exit

Ruijie(config)# interface GigabitEthernet 1/1

Ruijie(config-if)# web-auth enable eportalv2------> Enable web authentication on the interface

Ruijie(config-if)# exit

3. Indicates the arp option of the permit gateway

Ruijie(config)#http redirect direct-site 18.1.1.1arp ------> Set the gateway IP address to an authentication-exempt network resource range and enable the arp option to ensure that the PC can complete DNS and ARP requests before authentication.

Ruijie(config)#http redirect direct-site 19.1.1.1arp ------> If multiple network segments exist on the switch, you need toenable the gateways of all network segments to ensure that the PC can complete ARP requests and perform DNS communication.

4. Setup unauthentication Users (srcIP)

Ruijie(config)#web-auth direct-host 20.1.1.2 arp-----> Note: The downstream NMS switch needs to be managed, set as anauthentication-free user, and needs to carry the arp option.

5. Configuring Authentication-Exempt Users (srcMAC) (Optional)

mac access-list extended mianrenzhen

permit host 5124.3526.0023 any etype-any ----->ACL-based authentication exemption permit mechanism, such as MAC addresses ofthe two public PCS in the service hall security global access-group mianrenzhen

6. Support detection based on user traffic (optional, selected according to customer requirements)

offline-detect interval 6 threshold 0 ----->This function can be used to detect whether a user is online. The check criteria are as follows: Based on the traffic, if the user traffic is 0 within six minutes (480 minutes by default) (Check the bidirectional traffic on the authentication port), the user is considered offline.

2.Downlink switch configuration:
1) Prevent ARP spoofing
The IP Source Guard+ ARP-check scheme is used together with DHCP snooping to prevent user-initiated arp spoofing
2) Prevent DHCP Server fraud
Using DHCP Snooping to prevent a private DHCP server, users can obtain abnormal addresses.
3) Prevent loops
3.Verification
View authentication information about the switch

View details about an authentication user

Welcome to Ruijie Community (https://community.ruijienetworks.com/)