H3C S12500 Portal配置举例

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2013 杭州华三通信技术有限公司 版权所有，保留一切权利。 非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部， 并不得以任何形式传播。本文档中的信息可能变动，恕不另行通知。

 

目  录

1 简介

2 配置前提

3 使用限制

4 三层Portal认证配置举例

4.1 组网需求

4.2 配置思路

4.3 使用版本

4.4 配置注意事项

4.5 配置步骤

4.6 验证配置

4.7 配置文件

5 三层Portal认证方式扩展功能配置举例

5.1 组网需求

5.2 配置思路

5.3 使用版本

5.4 配置注意事项

5.5 配置步骤

5.6 验证配置

5.7 配置文件

6 相关资料

 

1  简介

本文档介绍了IPv4 Portal的配置举例。

Portal认证通常也称为Web认证，即通过Web页面接受用户输入的用户名和密码，对用户进行身份认证，以达到对用户访问进行控制的目的。

2  配置前提

本文档中的配置均是在实验室环境下进行的配置和验证，配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置，为了保证配置效果，请确认现有配置和以下举例中的配置不冲突。

本文假设您已了解Portal特性。

3  使用限制

·     当在同一个VLAN、VLAN包含接口或全局配置QoS策略，同时又进行Portal认证时，则Portal认证失效。

·     由于Portal客户端以IP地址为身份标识，因此使用Portal业务时，在认证客户端、接入设备、Portal服务器、AAA服务器之间不能有配置NAT（Network Address Translation，网络地址转换）特性的设备，避免地址转换导致认证失败。

4  三层Portal认证配置举例

4.1  组网需求

·     如图1所示，Department A客户端通过Switch A->Switch B接入公司核心网络，要求在Switch B上配置Portal，对Department A的网络访问进行控制。

·     Department A下面的用户在通过Portal认证前，只能访问Portal服务器，无法访问内部其它网络或Internet。用户通过认证后，可以正常访问网络。

·     采用RADIUS服务器，对Portal用户接入进行认证、授权和计费。

·     在RADIUS服务器和客户端配置共享密钥来增强二者交互报文的安全性。

图1 Portal特性三层认证配置组网图

 

4.2  配置思路

·     为了对Department A的网络访问进行Portal认证，需要在Switch B上配置Portal服务器并且使能Portal认证。

·     为了实现通过RADIUS来对Portal用户进行认证、授权和计费，需要在Switch B上配置RADIUS方案并指定相应的认证、授权和计费服务器，并将其应用于Portal用户所属的认证域。

·     为了在Switch B和RADIUS服务器之间安全地传输用户密码，并且能在Switch B上验证RADIUS服务器响应报文未被篡改，在Switch B和RADIUS服务器上都要设置交互报文时所使用的共享密钥。

4.3  使用版本

本举例是在S12500-CMW520-R1825P01版本上进行配置和验证的。

4.4  配置注意事项

目前仅支持使用RADIUS服务器对Portal用户进行认证、授权和计费，同时服务器需要配置路由，可以访问认证端口及用户IP地址所在网段。

4.5  配置步骤

 

# 在各设备上配置接口IP地址和路由协议，保证各台设备之间三层路由可达。在Switch A上配置到10.0.10.0/24网段的缺省路由，下一跳为10.0.11.1，具体配置步骤略。

# 配置Portal服务器：名称为newpt，IP地址为10.0.10.2，密钥为portal，端口为50100，URL为http:// 10.0.10.2/portal。

<SwitchB>system-view

System View: return to User View with Ctrl+Z.

[SwitchB] portal server newpt ip 10.0.10.2 key portal port 50100 url http://10.0.10.2/portal

# 在与Switch A相连的接口上使能Portal认证,且配置认证网端为Department A所在网段。

<SwitchB> system-view

[SwitchB] interface Vlan-interface 11

[SwitchB-Vlan-interface11] portal auth-network 192.168.0.0 255.255.255.0

[SwitchB-Vlan-interface11] portal server newpt method layer3

[SwitchB-Vlan-interface11] quit

#配置免费规格，允许Switch A的路由协议报文通过。

[SwitchB] portal free-rule 0 source ip 10.0.11.2 mask 32

[SwitchB] quit

# 创建名字为imc的RADIUS方案并进入该方案视图。

<SwitchB> system-view

[SwitchB] radius scheme imc

New Radius scheme

# 配置RADIUS方案相关参数，包括RADIUS服务器地址，认证、计费密钥等。

[SwitchB-radius-imc] primary authentication 10.0.10.2

[SwitchB-radius-imc] primary accounting 10.0.10.2

[SwitchB-radius-imc] key authentication imc

[SwitchB-radius-imc] key accounting imc

[SwitchB-radius-imc] server-type extended

[SwitchB-radius-imc] user-name-format without-domain

[SwitchB-radius-imc] quit

[SwitchB] quit

# 配置名为portal.com的认证域，该域的Portal用户认证采用步骤3配置的RADIUS方案。

<SwitchB> system-view

[SwitchB] domain portal.com

[SwitchB-isp-portal.com] authentication portal radius-scheme imc

[SwitchB-isp-portal.com] accounting portal radius-scheme imc

[SwitchB-isp-portal.com] authorization portal radius-scheme imc

[SwitchB-isp-portal.com] quit

[SwitchB] quit

# 配置系统缺省的ISP域portal.com，所有接入用户共用此缺省域的认证、授权和计费方法，若用户登录时输入的用户名未携带ISP域名，则使用缺省域下的认证方法。

[SwitchB] domain default enable portal.com

4.6  验证配置

# 认证通过前，客户端只能访问Portal服务器，用户访问任何网页都被重定向到Portal服务器主页面。

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

# Portal认证页面输入正确用户名和密码，认证通过后，客户端可以正常访问网络。

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Reply from 10.0.11.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Reply from 10.0.10.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>

# 设备上可以查看到通过认证的Portal用户信息。

<SwitchB>display portal user all

Index:3                                                                       

 State:ONLINE                                                                  

 SubState:NONE                                                                 

 ACL:NONE                                                                      

 Work-mode:stand-alone                                                         

 VPN instance:NONE                                                             

 MAC              IP                Vlan   Interface                           

 ----------------------------------------------------------------------------  

 0000-0000-0000   192.168.0.2       11      Vlan-interface11                     

 Total 1 user(s) matched, 1 listed.                                            

4.7  配置文件

#

domain default enable portal.com

#

portal server newpt ip 10.0.10.2 key cipher $c$3$c05cGkZePA4Ke+tMA4IehAeQfknE9t

F2PQ== url http://10.0.10.2/portal                                             

 portal free-rule 0 source ip 10.0.11.2 mask 255.255.255.255 destination ip any   

#

 forward-path check enable     

#     

vlan 1     

#      

vlan 10 to 11  

#   

radius scheme imc      

 server-type extended   

 primary authentication 10.0.10.2   

 primary accounting 10.0.10.2  

key authentication cipher $c$3$M30nGDQxiOCAxe2AJ9yEZdk8kjoWag==

 key accounting cipher $c$3$sLGxmc7H4MDmvUvmcaaee50JnNLPrA==                   

user-name-format without-domain

#

domain portal.com

 authentication portal radius-scheme imc 

 authorization portal radius-scheme imc    

 accounting portal radius-scheme imc   

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

domain system           

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

#                        

user-group system       

#                       

interface NULL0         

#                       

interface Vlan-interface10      

 ip address 10.0.10.1 255.255.255.0        

#   

interface Vlan-interface11    

 ip address 10.0.11.1 255.255.255.0     

 rip version 2 multicast

 portal auth-network 192.168.0.0 255.255.255.0    

 portal server newpt method layer3    

#                       

#                       

interface GigabitEthernet7/0/10    

 port link-mode bridge

port access vlan 10    

#                       

interface GigabitEthernet7/0/11 

 port link-mode bridge

port access vlan 11    

#    

 

#   

interface M-Ethernet0/0/0

#                       

rip 1                   

 version 2              

 network 10.0.0.0       

 import-route direct    

#                       

user-interface con 0    

user-interface aux 0    

user-interface vty 0 17 

#                       

5  三层Portal认证方式扩展功能配置举例

5.1  组网需求

·     如图2所示，Department A客户端通过Switch A->Switch B接入公司核心网络，要求在Switch B上配置Portal，对Department A的网络访问进行控制和安全检查。

·     用户认证通过前，只能访问Portal服务器，无法访问内部其它网络或Internet。

·     用户通过认证，但没有安装指定版本的防病毒软件，则对用户进行隔离，只允许访问病毒和补丁服务器；

·     用户通过认证，且安装了指定版本的防病毒软件，则通过安全策略检查，可正常访问网络。

·     采用RADIUS服务器对用户接入进行认证、授权和计费，并采用安全策略服务器对登录成功的用户进行安全检查。

图2 Portal三层认证扩展功能配置组网图

 

5.2  配置思路

·     为了对Department A的网络访问进行Portal认证，需要在Switch B上配置Portal服务器并且使能Portal认证，认证通过前，所有客户端只能访问Portal服务器，用户访问任何网页都被重定向到Portal服务器主页面。

·     为了实现通过RADIUS来进行认证、授权和计费，需要在Switch B上配置RADIUS方案并指定相应的认证、授权和计费服务器，并将其应用于Portal用户所属的认证域。

·     为了在Switch B和RADIUS服务器之间安全地传输用户密码，并且能在Switch B上验证RADIUS服务器响应报文未被篡改，在Switch B和RADIUS服务器上都要设置交互报文时所使用的共享密钥。

·     为了对登录成功的用户进行安全检查，需要创建ACL并制定规则，不符合检查要求的用户，只能访问病毒和补丁服务器，升级病毒库版本满足安全策略要求后，该用户才可访问所有网络资源。

5.3  使用版本

本举例是在S12500-CMW520-R1825P01版本上进行配置和验证的。

5.4  配置注意事项

目前仅支持使用RADIUS服务器对Portal用户进行认证、授权和计费，同时服务器需要配置路由，可以访问认证端口及用户IP地址所在网段。

5.5  配置步骤

 

# 在各设备上配置接口IP地址和路由协议，保证各台设备之间三层路由可达。在Switch A上配置到10.0.10.0/24网段的缺省路由，下一跳为10.0.11.1，具体配置步骤略。

# 配置Portal服务器：名称为newpt，IP地址为10.0.10.2，密钥为portal，端口为50100，URL为http:// 10.0.10.2/portal。

<SwitchB>system-view

[SwitchB]portal server newpt ip 10.0.10.2 key portal port 50100 url http://10.0.10.2/portal

# 在与Switch A相连的接口上使能Portal认证。

<SwitchB>system-view

System View: return to User View with Ctrl+Z.

[SwitchB]interface Vlan-interface 11

[SwitchB-Vlan-interface11]portal auth-network 192.168.0.0 255.255.255.0

[SwitchB-Vlan-interface11]portal server newpt method layer3

[SwitchB-Vlan-interface11]quit

# 配置免费规格，允许Switch A的路由协议报文通过。

[SwitchB]portal free-rule 0 source ip 10.0.11.2 mask 32

[SwitchB]quit

# 创建名字为imc的RADIUS方案并进入该方案视图。

<SwitchB>system-view

System View: return to User View with Ctrl+Z.

[SwitchB]radius scheme imc

# 配置RADIUS方案相关参数，包括RADIUS服务器地址，认证、计费密钥等。

[SwitchB-radius-imc]primary authentication 10.0.10.2

[SwitchB-radius-imc]primary accounting 10.0.10.2

[SwitchB-radius-imc]key authentication imc

[SwitchB-radius-imc]key accounting imc

[SwitchB-radius-imc]server-type extended

[SwitchB-radius-imc]user-name-format without-domain

[SwitchB-radius-imc]quit

[SwitchB]quit

# 配置名为portal.com的认证域，该域的Portal用户认证采用步骤3配置的RADIUS方案。

<SwitchB>system-view

[SwitchB]

[SwitchB]domain portal.com

[SwitchB-isp-portal.com]authentication portal radius-scheme imc

[SwitchB-isp-portal.com]accounting portal radius-scheme imc

[SwitchB-isp-portal.com]authorization portal radius-scheme imc

[SwitchB-isp-portal.com]quit

[SwitchB]quit

# 配置系统缺省的ISP域portal.com，所有接入用户共用此缺省域的认证、授权和计费方法，若用户登录时输入的用户名未携带ISP域名，则使用缺省域下的认证方法。

[SwitchB] domain default enable portal.com

# 配置隔离acl number 3000，只允许访问补丁和病毒服务器。

<SwitchB>system-view

[SwitchB]acl number 3000

[SwitchB-acl-adv-3000]rule permit ip destination 10.0.12.2 0

[SwitchB-acl-adv-3000]rule permit ip destination 10.0.12.3 0

[SwitchB-acl-adv-3000]rule deny ip

[SwitchB-acl-adv-3000]quit

[SwitchB]quit

# 配置安全acl number 3001，允许访问所有网络目的。

<SwitchB>system-view

[SwitchB]acl number 3001 

[SwitchB-acl-adv-3001]rule permit ip

[SwitchB-acl-adv-3000]quit

[SwitchB]quit

5.6  验证配置

# 认证通过前，Client A只能访问Portal服务器。

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.1

Pinging 10.0.12.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.2

Pinging 10.0.12.2 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.2:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.3

Pinging 10.0.12.3 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.3:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

# 安全策略服务器端配置安全策略，采用隔离模式，配置隔离ACL和安全ACL分别为3000和3001。同时，对客户端进行病毒扫描，要求防病毒软件赛门铁客的病毒库最低版本高于客户端目前版本。

# Client A通过通过SwitchB iNode客户端，新建Portal连接，输入正确的用户名和密码，登录成功。然后，开始安全检查，安全检查不合格，进入隔离模式，查看设备上Portal用户，可看到下发了隔离ACL。

<SwitchB>display portal user all

 Index:77

 State:ONLINE

 SubState:NONE

 ACL:3000

Work-mode:stand-alone                                                         

VPN instance:NONE                                   

MAC              IP                Vlan   Interface

 ---------------------------------------------------------------------

 0000-0000-0000   192.168.0.2       11     Vlan-interface11

 Total 1 user(s) matched, 1 listed.

# 查看Client A的网络访问情况，通过Client A只能访问Portal服务器、补丁服务器和病毒服务器。

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.1

Pinging 10.0.12.1 with 32 bytes of data:

Request timed out.

Ping statistics for 10.0.12.1:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

C:\>ping -n 1 10.0.12.2

Pinging 10.0.12.2 with 32 bytes of data:

Reply from 10.0.12.2: bytes=32 time=2ms TTL=126

Ping statistics for 10.0.12.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 2ms, Average = 2ms

C:\>ping -n 1 10.0.12.3

Pinging 10.0.12.3 with 32 bytes of data:

Reply from 10.0.12.3: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.12.3:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

# 升级Client A的病毒库，版本满足安全策略要求。客户端断开后，重新登录，认证成功后，进行安全检查，客户端提示安全检查合格，设备上查看通过认证的Portal用户信息，可见下发了安全ACL 3001。

<SwitchB>display portal user all

 Index:79

 State:ONLINE

 SubState:NONE

 ACL:3001

Work-mode:stand-alone                                                         

VPN instance:NONE                                   

 MAC              IP                Vlan   Interface

 ---------------------------------------------------------------------

 0000-0000-0000   192.168.0.2       11     Vlan-interface11

 Total 1 user(s) matched, 1 listed.

# 查看Client A的网络访问情况，客户端可以正常访问网络。

C:\>ping -n 1 10.0.10.1

Pinging 10.0.10.1 with 32 bytes of data:

Reply from 10.0.10.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.10.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.10.2

Pinging 10.0.10.2 with 32 bytes of data:

Reply from 10.0.10.2: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.10.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Reply from 10.0.11.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.11.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.12.1

Pinging 10.0.12.1 with 32 bytes of data:

Reply from 10.0.12.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.12.1:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ping -n 1 10.0.12.2

Pinging 10.0.12.2 with 32 bytes of data:

Reply from 10.0.12.2: bytes=32 time=2ms TTL=126

Ping statistics for 10.0.12.2:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 2ms, Maximum = 2ms, Average = 2ms

C:\>ping -n 1 10.0.12.3

Pinging 10.0.12.3 with 32 bytes of data:

Reply from 10.0.12.3: bytes=32 time<1ms TTL=126

Ping statistics for 10.0.12.3:

    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

5.7  配置文件

#    

 domain default enable portal.com    

#                       

 portal server newpt ip 10.0.10.2 key cipher $c$3$NutFYbU0hYwh72HWnP2zrtfThyQfRb

6pmw url http://10.0.10.2/portal       

 portal free-rule 0 source ip 10.0.11.2 mask 255.255.255.255 destination ip any   

#   

 forward-path check enable 

#

acl number 3000

 rule 0 permit ip destination 10.0.12.2 0

 rule 5 permit ip destination 10.0.12.3 0

 rule 10 deny ip

acl number 3001

 rule 0 permit ip

#

vlan 1

#

vlan 10 to 11           

#     

radius scheme imc      

 server-type extended   

 primary authentication 10.0.10.2

 primary accounting 10.0.10.2

key authentication cipher $c$3$M30nGDQxiOCAxe2AJ9yEZdk8kjoWag==

key accounting cipher $c$3$sLGxmc7H4MDmvUvmcaaee50JnNLPrA==

 user-name-format without-domain

# 

domain portal.com 

 authentication portal radius-scheme imc

 authorization portal radius-scheme imc

 accounting portal radius-scheme imc

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

domain system           

 access-limit disable   

 state active           

 idle-cut disable       

 self-service-url disable

#                       

user-group system       

#                       

interface NULL0         

#                       

interface Vlan-interface10   

 ip address 10.0.10.1 255.255.255.0  

#                       

interface Vlan-interface11    

 ip address 10.0.11.1 255.255.255.0      

 rip version 2 multicast

 portal auth-network 192.168.0.0 255.255.255.0

 portal server newpt method layer3

#

interface Vlan-interface12

 ip address 10.0.12.1 255.255.255.0

# 

 

#

interface GigabitEthernet7/0/10

 port link-mode bridge

port access vlan 10    

#

interface GigabitEthernet7/0/11

 port link-mode bridge

port access vlan 11  

#

interface GigabitEthernet7/0/12

 port link-mode bridge

port access vlan 12

#

 

#

interface M-Ethernet0/0/0

# 

rip 1 

 version 2 

 network 10.0.0.0

 import-route direct

#

user-interface con 0

user-interface aux 0

user-interface vty 0 17 

#

6  相关资料

·     《H3C S12500系列路由交换机  安全配置指导》中的“Portal”

·     《H3C S12500系列路由交换机  安全命令参考》中的“Portal”