|
Networking requirements 1. Customers can use common browser software for access authentication, and there is no need to install other client authentication software. 2. When an unauthenticated user accesses the Internet, the device forces the user to log in to a specific site, where the user can access the services for free. 3. When the user needs to use other information inthe Internet, they must be authenticated in the Web authentication server, only after the authentication can use Internet resources. 4. Charge authenticated users. 5. Users do not need authentication to accessrelated servers 6. You can set authentication-free users (srcMac),users can use Internet resources without authentication restrictions. 7. You can set authentication-free users (srcIP, including the management IP address of the next connected switch), and you canuse Internet resources without authentication restrictions on users. 8. Configure seamless online for authentication users 9.Prevent arp spoofing Network topology  3.Configuration key steps Core switch configuration 1. Configure the aaa function 2. Configure the web redirection page and web authentication redirection server (eportal server). 3. Set authentication exemption user (srcIP) -----> Note: The connected NMS switch needs to be managed and set as an authentication exemption user. 4. Set Authentication Exemption User (srcMAC) (optional) 5. Support detection based on user traffic (optional, selected according to customerdemand) Key points of connecting to the switch Downlink switches configuration: 1. Anti-attack Settings 1) Prevent arpspoofing 2), anti-DHCPspoofing 2. Prevent loop Settings Eportal server configuration key steps Add device 4.Configuration steps: Core switch configuration: 1. Configurethe aaa function Ruijie#configure Ruijie(config)#aaa new-model Ruijie(config)#radius-server host 17.17.1.5 keyruijie ruijie (config)#aaa authentication web-authruijie-1 group radius ------> Create an authentication list with the nameruijie-1 ruijie (config)#aaa accounting network ruijie-2start-stop group radius ------> Create the accounting list. The name of thelist is ruijie-2 2. Configuring the web redirection page and web authentication redirection server (eportal server) Ruijie(config)#web-auth template eportalv2 Ruijie(config.tmplt.eportal v2)#ip 17.17.1.6 Ruijie(config.tmplt.eportal v2)#exit Ruijie(config)#web-auth portal key ruijie------> Configure the key for the authentication device to communicate with the authentication server Ruijie(config)#web-auth template eportalv2 Ruijie (config. TMPLT. Eportalv2) # urlhttp://17.17.1.6/eportal/index.jsp ruijie (config.tmplt.eportalv2)#authenticationruijie-1 ------> request authentication list ruijie (config.tmplt.eportalv2)#accounting ruijie-2------> request the billing list Ruijie(config.tmplt.eportalv2)#exit Ruijie(config)# interface GigabitEthernet 1/1 Ruijie(config-if)# web-auth enable eportalv2------> Enable web authentication on the interface Ruijie(config-if)# exit 3. Indicates the arp option of the permit gateway Ruijie(config)#http redirect direct-site 18.1.1.1arp ------> Set the gateway IP address to an authentication-exempt network resource range and enable the arp option to ensure that the PC can complete DNS and ARP requests before authentication. Ruijie(config)#http redirect direct-site 19.1.1.1arp ------> If multiple network segments exist on the switch, you need toenable the gateways of all network segments to ensure that the PC can complete ARP requests and perform DNS communication. 4. Setup unauthentication Users (srcIP) Ruijie(config)#web-auth direct-host 20.1.1.2 arp-----> Note: The downstream NMS switch needs to be managed, set as anauthentication-free user, and needs to carry the arp option. 5. Configuring Authentication-Exempt Users (srcMAC) (Optional) mac access-list extended mianrenzhen permit host 5124.3526.0023 any etype-any ----->ACL-based authentication exemption permit mechanism, such as MAC addresses ofthe two public PCS in the service hall security global access-group mianrenzhen 6. Support detection based on user traffic (optional, selected according to customer requirements) offline-detect interval 6 threshold 0 ----->This function can be used to detect whether a user is online. The check criteria are as follows: Based on the traffic, if the user traffic is 0 within six minutes (480 minutes by default) (Check the bidirectional traffic on the authentication port), the user is considered offline. 2.Downlink switch configuration: 1) Prevent ARP spoofing The IP Source Guard+ ARP-check scheme is used together with DHCP snooping to prevent user-initiated arp spoofing 2) Prevent DHCP Server fraud Using DHCP Snooping to prevent a private DHCP server, users can obtain abnormal addresses. 3) Prevent loops 3.Verification View authentication information about the switch  View details about an authentication user  |
This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.
More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.
©2000-2023 Ruijie Networks Co,Ltd
Level 5
