How to configure local web authenticaiton on Ruijie EG?

Networking Requirements
1. LAN users access the Internet through the EG device.
2. The WAN bandwidth is 10 Mbps, the address of the WAN port is 192.168.33.56/24, the address of the WAN gateway is 192.168.33.1, and the addresses of LAN ports are in the 192.168.1.1/24 network segment.
3. LAN users can access the WAN only after succeeding in identity authentication.
4. The EG device of RGOS10.3 (4B8) and later versions support subinterface Web authentication. The configuration method is the same as that of common Web authentication.
5. Internal Web authentication allows users to proactively add the go-offline page to favorites and modify passwords. It also supports the following functions: forbidding users from accessing the Internet (blocking user accounts) and kicking users offline.
Note: The IP addresses above are used in a simulated environment and are not provided by carriers.


Network Topology



Configuration Key Points
1. Perform wizard-based setup to ensure that LAN users can successfully access the WAN.
2. Select the internal Web authentication server function in the real-name Internet access policy.
Notes:
1. If advertisement push is enabled, the entered advertisement address cannot contain the character "?".
2. If Web authentication is enabled and port mapping is configured, the LAN server IP address used for port mapping needs to be added to the authentication-exempt IP address list. Otherwise, port mapping will fail.
3. After Web authentication is enabled, the remote login password (that is, telnet password) needs to be changed.


Auxiliary information:
1. The Web authentication function of the EG device allows the Dynamic Host Configuration Protocol (DHCP), DNS, and Address Resolution Protocol (ARP) traffic to pass by default, without a need of additional settings.
2. When you log in to the EG device in telnet mode with Web authentication enabled, if you enter a wrong username or password for more than 3 consecutive times for the EG device of RGOS4B8 or 50 consecutive times for the EG device of RGOS4B10, the account will be locked. The account will be unlocked after 15 hours by default and then you can log in with the account again. You are recommended to run the following commands to modified two parameters after configuring Web authentication:

Ruijie(config)#aaa local authentication lockout-time 1 //Unlocking an account 1 hour after the account is locked

Ruijie(config)#aaa local authentication attempts 10 //Setting the allowable login attempts to 10.

Configuration Steps
Choose User> Auth and click Internal Portal Auth on the Web Auth tab page to enable the internal authentication function, as shown in the figure below.


a. Internal Portal Auth: Refers to the internal authentication server of the EG device.
b. Auth Mode: A users needs to be authenticated before accessing the Internet. Specify the server matching priority for authentication information here.
c. Advertising Mode: Ruijie EG device provides the advertisement push function, for example, a hotel can use this function to push the hotel homepage to guests and promote the hotel brand. You can also set the mode to No AD, Display AD Before Auth, or Display AD After Auth.
Add a user to be authenticated: Click a user group in the user organization structure on the left, add a user (IP range) to the user group, and configure the username and password, as shown in the figure below.



A user added successfully is displayed in the user list, as shown in the figure below.


The user configuration method on the CLI is as follows:
#Add a user named ruijie under the root directory, set the password to 111, and configure the account to use only Web authentication.

Ruijie(config)# subscriber static name "ruijie" parent "/" password 111

Ruijie(config)# subscriber allow "ruijie" privilege webauth

If you select Allow Internal Web Auth User Password Change when configuring a username and password. The Change Password option is displayed after Web authentication is successful.



Configuration Verification
After the configuration is complete, the authentication page is displayed when a user browses a Web page for the first time.


Enter the correct username and password and click Login. The authentication success page is displayed.