H3C Fixed Port Campus Switches Configuration Examples-6W103

HomeSupportConfigure & DeployConfiguration ExamplesH3C Fixed Port Campus Switches Configuration Examples-6W103
Table of Contents
Related Documents
33-Portal Configuration Examples
Title Size Download
33-Portal Configuration Examples 373.44 KB


This document provides examples for configuring the following portal authentications:

·     Cross-subnet authentication—Applies to networks where Layer 3 forwarding devices exist between the authentication client and the access device. After a user passes authentication on an interface, the access device generates an ACL for the user based on the user's IP address to permit packets from the user on the interface.

·     Direct authenticationApplies to networks where no layer 3 forwarding devices exist between the authentication client and the access device. In such a network, the access device can learn MAC addresses of users. The access device can use both ACLs and MAC addresses to enhance control on user packet forwarding.


The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of portal.

Restrictions and guidelines

When you configure direct or cross-subnet portal authentication, follow these restrictions and guidelines:

·     Only the RADIUS server can perform authentication, authorization, and accounting for portal users.

·     On the RADIUS server, configure routes to reach the authentication interfaces and user networks.

·     The IMC server uses session control packets to send disconnection requests to the access device. If you use the IMC server as the RADIUS server, execute the radius session-control enable command on the access device. Otherwise, the access device cannot receive portal user logout requests from the RADIUS server.

·     When the access device runs Portal 2.0, configure the BAS-IP attribute for portal packets sent to the portal authentication server. Make sure the BAS-IP is the same as the IP Address configured on the portal authentication server. Otherwise, the portal authentication server will drop unsolicited portal packets (such as logout notifications) from the access device.

Example: Configuring cross-subnet portal authentication

Network configuration

As shown in Figure 1, Device B supports portal authentication. An IMC server acts as a portal authentication server, a portal Web server, and a RADIUS server. The RADIUS server is used to perform AAA on portal users. In this example, the IMC server runs IMC PLAT 7.0 (E0202) and IMC UAM 7.0 (E0202).

Configure cross-subnet portal authentication. Before passing authentication, a host can access only the portal server. After passing authentication, the host can access resources in the IP network.

Figure 1 Network diagram



To enable Device B to perform cross-subnet portal authentication through RADIUS, you must complete the following tasks:

·     Configure the portal authentication and Web server, and enable cross-subnet portal authentication.

·     Configure the RADIUS scheme. Specify the AAA server for the scheme and apply the scheme to the portal authentication domain.

Applicable hardware and software versions

The following matrix shows the hardware and software versions to which this configuration example is applicable:



Software version

S6812 switch series

S6813 switch series

Release 66xx

S6550XE-HI switch series

Release 6008 and later

S6525XE-HI switch series

Release 6008 and later

S5850 switch series

Release 8005 and later

S5570S-EI switch series

Release 11xx

S5560X-EI switch series

Release 63xx, Release 65xx, Release 66xx

S5560X-HI switch series

Release 63xx, Release 65xx, Release 66xx

S5500V2-EI switch series

Release 63xx, Release 65xx, Release 66xx

MS4520V2-30F switch

Release 63xx, Release 65xx, Release 66xx

MS4520V2-30C switch

MS4520V2-54C switch

Release 65xx, Release 66xx

MS4520V2-28S switch

MS4520V2-24TP switch

Release 63xx

S6520X-HI switch series

S6520X-EI switch series

Release 63xx, Release 65xx, Release 66xx

S6520X-SI switch series

S6520-SI switch series

Release 63xx, Release 65xx, Release 66xx

S5000-EI switch series

Release 63xx, Release 65xx, Release 66xx

MS4600 switch series

Release 63xx, Release 65xx, Release 66xx

ES5500 switch series

Release 63xx, Release 65xx, Release 66xx

S5560S-EI switch series

S5560S-SI switch series

Release 63xx

S5500V3-24P-SI switch

S5500V3-48P-SI switch

Release 63xx

S5500V3-SI switch series (except the S5500V3-24P-SI and S5500V3-48P-SI switches)

Release 11xx

S5170-EI switch series

Release 11xx

S5130S-HI switch series

S5130S-EI switch series

S5130S-SI switch series

S5130S-LI switch series

Release 63xx

S5120V2-SI switch series

S5120V2-LI switch series

Release 63xx

S5120V3-EI switch series

Release 11xx

S5120V3-36F-SI switch

S5120V3-28P-HPWR-SI switch

S5120V3-54P-PWR-SI switch

Release 11xx

S5120V3-SI switch series (except the S5120V3-36F-SI, S5120V3-28P-HPWR-SI, and S5120V3-54P-PWR-SI switches)

Release 63xx

S5120V3-LI switch series

Release 63xx

S3600V3-EI switch series

Release 11xx

S3600V3-SI switch series

Release 11xx

S3100V3-EI switch series

S3100V3-SI switch series

Release 63xx

S5110V2 switch series

Release 63xx

S5110V2-SI switch series

Release 63xx

S5000V3-EI switch series

S5000V5-EI switch series

Release 63xx

S5000E-X switch series

S5000X-EI switch series

Release 63xx

E128C switch

E152C switch

E500C switch series

E500D switch series

Release 63xx

MS4320V2 switch series

MS4320V3 switch series

MS4300V2 switch series

MS4320 switch series

MS4200 switch series

Release 63xx

WS5850-WiNet switch series

Release 63xx

WS5820-WiNet switch series

WS5810-WiNet switch series

Release 63xx

WAS6000 switch series

Release 63xx

IE4300-12P-AC switch

IE4300-12P-PWR switch

IE4300-M switch series

IE4320 switch series

Release 63xx



Configuring Device A

# Configure VLAN-interface 2 and VLAN-interface 11, and assign them IP addresses.

<DeviceA> system-view

[DeviceA] vlan 2

[DeviceA-vlan2] quit

[DeviceA] vlan 11

[DeviceA-vlan11] quit

[DeviceA] interface vlan-interface 2

[DeviceA-Vlan-interface2] ip address 24

[DeviceA-Vlan-interface2] quit

[DeviceA] interface vlan-interface 11

[DeviceA-Vlan-interface11] ip address 24

[DeviceA-Vlan-interface11] quit

# Assign the corresponding physical interfaces to the VLANs. (Details not shown.)

# Configure a static route to the RADIUS server.

[DeviceA] ip route-static

Configuring Device B

# Configure VLAN-interface 10 and VLAN-interface 11, and assign them IP addresses.

<DeviceB> system-view

[DeviceB] vlan 10

[DeviceB-vlan10] quit

[DeviceB] vlan 11

[DeviceB-vlan11] quit

[DeviceB] interface vlan-interface 11

[DeviceB-Vlan-interface11] ip address 24

[DeviceB-Vlan-interface11] quit

[DeviceB] interface vlan-interface 10

[DeviceB-Vlan-interface10] ip address 24

[DeviceB-Vlan-interface10] quit

# Configure portal authentication server newpt.

[DeviceB] portal server newpt

[DeviceB-portal-server-newpt] ip key simple portal

[DeviceB-portal-server-newpt] port 50100

[DeviceB-portal-server-newpt] quit

# Configure portal Web server newpt. The URL must be the same as the URL configured for the portal page on the portal Web server.

[DeviceB] portal web-server newpt

[DeviceB-portal-websvr-newpt] url

[DeviceB-portal-websvr-newpt] quit

# Enable cross-subnet authentication on VLAN-interface 11, the interface connected to Device A.

[DeviceB] interface Vlan-interface 11

[DeviceB-Vlan-interface11] portal enable method layer3

# Configure the BAS-IP as for portal packets sent from VLAN-interface 11 to the portal authentication server.

[DeviceB-Vlan-interface11] portal bas-ip

# Specify portal Web server newpt on VLAN-interface 11.

[DeviceB-Vlan-interface11] portal apply web-server newpt

[DeviceB-Vlan-interface11] quit

# Create a RADIUS scheme named imc and enter its view.

[DeviceB] radius scheme imc

# Specify the primary authentication and accounting server, and configure the keys for communication with the server.

[DeviceB-radius-imc] primary authentication

[DeviceB-radius-imc] primary accounting

[DeviceB-radius-imc] key authentication simple expert

[DeviceB-radius-imc] key accounting simple expert

# Exclude the ISP domain name from the username sent to the RADIUS server.

[DeviceB-radius-imc] user-name-format without-domain

[DeviceB-radius-imc] quit

# Enable the RADIUS session-control feature.

[DeviceB] radius session-control enable

# Create an ISP domain named portal.com and enter its view.

[DeviceB] domain portal.com

# Configure AAA methods for the ISP domain.

[DeviceB-isp-portal.com] authentication portal radius-scheme imc

[DeviceB-isp-portal.com] authorization portal radius-scheme imc

[DeviceB-isp-portal.com] accounting portal radius-scheme imc

[DeviceB-isp-portal.com] quit

# Specify domain portal.com as the default ISP domain. If a user enters the username without the ISP domain name at login, the AAA methods of the default domain are used for the user.

[DeviceB] domain default enable portal.com

# Configure a static route to Department A.

[DeviceB] ip route-static

Configuring the RADIUS and portal server

Adding an access device

1.     Log in to IMC, and click the User tab.

2.     From the navigation tree, select User Access Manager > Access Device Management > Access Device.

3.     Click Add.

The Add Access Device page appears.

4.     In the Access Configuration area, configure the following parameters:

¡     Enter expert in the Shared Key and Confirm Shared Key fields.

¡     Enter 1812 in the Authentication Port field and 1813 in the Accounting Port field.

¡     Select LAN Access Service from the Service Type list.

¡     Select H3C(General) from the Access Device Type list.

5.     In the Device List area, click Add Manually.

6.     On the page that appears, enter IP address in the Start IP field, and click OK.

7.     Click OK.

Figure 2 Adding an access device


Adding an access policy

1.     Click the User tab.

2.     From the navigation tree, select User Access Manager > Access Policy.

3.     Click Add.

4.     On the page that appears, enter portal in the Access Policy Name field. Use the default settings for other parameters.

5.     Click OK.

Figure 3 Adding an access policy


Adding an access service

1.     Click the User tab.

2.     From the navigation tree, select User Access Manager > Access Service.

3.     Click Add.

4.     On the page that appears, configure the following parameters:

¡     Enter Portal-auth in the Service Name field.

¡     Select portal from the Default Access Policy list.

¡     Use the default settings for other parameters.

5.     Click OK.

Figure 4 Adding an access service


Configuring an access user

1.     Click the User tab.

2.     From the navigation tree, select Access User> All Access Users.

3.     Click Add.

The Add Access User page appears.

4.     In the Access Information area, click the Add User button for the User Name field.

5.     On the page that appears, configure the following parameters:

¡     Enter hello in the User Name field.

¡     Enter 111111 in the Identity Number field.

¡     Use the default settings for other parameters.

¡     Click OK.

Figure 5 Adding a user


6.     In the Access Information area, enter portal in the Account Name field and configure the password as 123456 for the account.

7.     In the Access Service area, select the access service named Portal-auth.

8.     Use the default settings for other parameters.

9.     Click OK.

Figure 6 Configuring an access user


Configuring a portal page

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Portal Service > Server.

3.     Use the default settings for all parameters.

4.     Click OK.

Figure 7 Configuring a portal page


Adding an IP group for portal authentication

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Portal Service > IP Group.

3.     Click Add.

4.     On the page that appears, configure the following parameters:

¡     Enter Portal_user in the IP Group Name field.

¡     Enter in the Start IP field and in the End IP field.

¡     Use the default settings for other parameters.

5.     Click OK.

Figure 8 Adding an IP group


Configuring an access device for portal authentication

1.     Click the User tab.

2.     From the navigation tree, select User Access Policy > Portal Service > Device.

3.     Click Add.

4.     On the Add Device page, configure the following parameters:

¡     Enter NAS in the Device Name field.

¡     Enter in the IP Address field.

¡     Enter portal in the Key and Confirm Key fields.

The key must be the same as that for the portal authentication server configured on Device B.

¡     Select Layer 3 from the Access Method list.

¡     Use the default settings for other parameters.

5.     Click OK.

Figure 9 Adding an access device


Configuring a port group for portal authentication

1.     On the Device page, click the Port Group icon.

Figure 10 Accessing the Device page


2.     On the Configure Port Group page, click Add.

3.     On the Add Port Group page, configure the following parameters:

¡     Enter portal in the Port Group Name field.

¡     Select Portal_user from the IP Group list.

¡     Use the default settings for other parameters.

4.     Click OK.

Figure 11 Adding a port group


Verifying the configuration

A user can perform portal authentication by using the H3C iNode client or through a Web page. This example triggers portal authentication by accessing a Web page.

# Access a Web page through a Web browser on a host. You are redirected to the authentication page Enter the username portal and the password 123456 to log in. After passing the authentication, you are redirected to the authentication success page.

# Execute the display portal user command on Device B to display the portal user information.

[DeviceB] display portal user interface vlan-interface 11

Total portal users: 1

Username: portal

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC              IP                Vlan   Interface

  0015-e9a6-7cfe       11     Vlan-interface11

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

Configuration files

·     Device A:


vlan 2


vlan 11


interface Vlan-interface2

 ip address


interface Vlan-interface11

 ip address


ip route-static 24


·     Device B:


vlan 10 to 11


interface Vlan-interface10

 ip address


interface Vlan-interface11

 ip address

 portal enable method layer3

 portal bas-ip

 portal apply web-server newpt


ip route-static 24


radius session-control enable 


radius scheme imc

primary authentication

primary accounting

key authentication cipher $c$3$M30nGDQxiOCAxe2AJ9yEZdk8kjoWag==

key accounting cipher $c$3$M23dGDQxiOCAxe2BJ9yEZdk8kjoWag==

user-name-format without-domain


domain portal.com

 authentication portal radius-scheme imc

 authorization portal radius-scheme imc

accounting portal radius-scheme imc


domain default enable portal.com


portal web-server newpt



portal server newpt

 ip key cipher $c$3$r0VxoIiBrpzju9h2akP4TxyknX8VTuYKfA==


Example: Configuring extended cross-subnet portal authentication

Network configuration

As shown in Figure 12, Device B supports portal authentication. An IMC server acts as a portal authentication server, a portal Web server, a RADIUS server, and a security policy server. The RADIUS server is used to perform AAA on portal users. The security policy server is deployed to perform security check on portal-authenticated users. In this example, the IMC server runs IMC PLAT 7.0 (E0202) and IMC UAM 7.0 (E0202).

Configure extended cross-subnet portal authentication. Before passing portal authentication, a host can access only the portal Web server. After the host passes authentication, the security policy server performs a security check on the host. If the host fails the security check, the host is permitted to access only the Patch/Virus definitions update server. After passing the security check, the host can access resources in the IP network.

Figure 12 Network diagram



To enable Device B to perform cross-subnet portal authentication through RADIUS, you must complete the following tasks:

·     Configure the portal authentication and Web server, and enable cross-subnet portal authentication.

·     Configure the RADIUS scheme. Specify the AAA server for the scheme and apply the scheme to the portal authentication domain.

To perform security check on authenticated users, you must complete the following tasks:

·     On Device B, create an ACL (ACL 3000 in this example) for users who fail security checks, and an ACL (ACL 3001 in this example) for users who pass security checks.

·     On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.

Applicable hardware and software versions

The following matrix shows the hardware and software versions to which this configuration example is applicable:



Software version

S6812 switch series

S6813 switch series

Release 66xx

S6550XE-HI switch series

Release 6008 and later

S6525XE-HI switch series

Release 6008 and later

S5850 switch series

Release 8005 and later

S5570S-EI switch series

Release 11xx

S5560X-EI switch series

Release 63xx, Release 65xx, Release 66xx

S5560X-HI switch series

Release 63xx, Release 65xx, Release 66xx

S5500V2-EI switch series

Release 63xx, Release 65xx, Release 66xx

MS4520V2-30F switch

Release 63xx, Release 65xx, Release 66xx

MS4520V2-30C switch

MS4520V2-54C switch

Release 65xx, Release 66xx

MS4520V2-28S switch

MS4520V2-24TP switch

Release 63xx

S6520X-HI switch series

S6520X-EI switch series

Release 63xx, Release 65xx, Release 66xx

S6520X-SI switch series

S6520-SI switch series

Release 63xx, Release 65xx, Release 66xx

S5000-EI switch series

Release 63xx, Release 65xx, Release 66xx

MS4600 switch series

Release 63xx, Release 65xx, Release 66xx

ES5500 switch series

Release 63xx, Release 65xx, Release 66xx

S5560S-EI switch series

S5560S-SI switch series

Release 63xx

S5500V3-24P-SI switch

S5500V3-48P-SI switch

Release 63xx

S5500V3-SI switch series (except the S5500V3-24P-SI and S5500V3-48P-SI switches)

Release 11xx

S5170-EI switch series

Release 11xx

S5130S-HI switch series

S5130S-EI switch series

S5130S-SI switch series

S5130S-LI switch series

Release 63xx

S5120V2-SI switch series

S5120V2-LI switch series

Release 63xx

S5120V3-EI switch series

Release 11xx

S5120V3-36F-SI switch

S5120V3-28P-HPWR-SI switch

S5120V3-54P-PWR-SI switch

Release 11xx

S5120V3-SI switch series (except the S5120V3-36F-SI, S5120V3-28P-HPWR-SI, and S5120V3-54P-PWR-SI switches)

Release 63xx

S5120V3-LI switch series

Release 63xx

S3600V3-EI switch series

Release 11xx

S3600V3-SI switch series

Release 11xx

S3100V3-EI switch series

S3100V3-SI switch series

Release 63xx

S5110V2 switch series

Release 63xx

S5110V2-SI switch series

Release 63xx

S5000V3-EI switch series

S5000V5-EI switch series

Release 63xx

S5000E-X switch series

S5000X-EI switch series

Release 63xx

E128C switch

E152C switch

E500C switch series

E500D switch series

Release 63xx

MS4320V2 switch series

MS4320V3 switch series

MS4300V2 switch series

MS4320 switch series

MS4200 switch series

Release 63xx

WS5850-WiNet switch series

Release 63xx

WS5820-WiNet switch series

WS5810-WiNet switch series

Release 63xx

WAS6000 switch series

Release 63xx

IE4300-12P-AC switch

IE4300-12P-PWR switch

IE4300-M switch series

IE4320 switch series

Release 63xx



Configuring Device A

# Configure VLAN-interface 2 and VLAN-interface 11, and assign them IP addresses.

<DeviceA> system-view

[DeviceA] vlan 2

[DeviceA-vlan2] quit

[DeviceA] vlan 11

[DeviceA-vlan11] quit

[DeviceA] interface vlan-interface 2

[DeviceA-Vlan-interface2] ip address 24

[DeviceA-Vlan-interface2] quit

[DeviceA] interface vlan-interface 11

[DeviceA-Vlan-interface11] ip address 24

[DeviceA-Vlan-interface11] quit

# Assign the corresponding physical interfaces to the VLANs. (Details not shown.)

# Configure a static route to the RADIUS, portal, and security policy server.

[DeviceA] ip route-static

# Configure a static route to the patch and virus definitions update server.

[DeviceA] ip route-static

Configuring Device B

# Configure VLAN-interface 10, VLAN-interface 11, and VLAN-interface 12, and assign them IP addresses.

<DeviceB> system-view

[DeviceB] vlan 10

[DeviceB-vlan10] quit

[DeviceB] vlan 11

[DeviceB-vlan11] quit

[DeviceB] vlan 12

[DeviceB-vlan12] quit

[DeviceB] interface vlan-interface 11

[DeviceB-Vlan-interface11] ip address 24

[DeviceB-Vlan-interface11] quit

[DeviceB] interface vlan-interface 10

[DeviceB-Vlan-interface10] ip address 24

[DeviceB-Vlan-interface10] quit

[DeviceB] interface vlan-interface 12

[DeviceB-Vlan-interface12] ip address 24

[DeviceB-Vlan-interface12] quit

# Configure the portal authentication server newpt.

[DeviceB] portal server newpt

[DeviceB-portal-server-newpt] ip key simple portal

[DeviceB-portal-server-newpt] port 50100

[DeviceB-portal-server-newpt] quit

# Configure portal Web server newpt. The URL must be the same as the URL configured for the portal page on the portal Web server.

[DeviceB] portal web-server newpt

[DeviceB-portal-websvr-newpt] url

[DeviceB-portal-websvr-newpt] quit

# Enable cross-subnet authentication on VLAN-interface 11, the interface connected to Device A.

[DeviceB] interface Vlan-interface 11

[DeviceB-Vlan-interface11] portal enable method layer3

# Configure the BAS-IP as for portal packets sent from VLAN-interface 11 to the portal authentication server.

[DeviceB-Vlan-interface11] portal bas-ip

# Specify portal Web server newpt on VLAN-interface 11.

[DeviceB-Vlan-interface11] portal apply web-server newpt

[DeviceB-Vlan-interface11] quit

# Create a static route to Department A.

[DeviceB] ip route-static

# Create RADIUS scheme named imc and enter its view.

[DeviceB] radius scheme imc

# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the server.

[DeviceB-radius-imc] primary authentication

[DeviceB-radius-imc] primary accounting

[DeviceB-radius-imc] key authentication simple expert

[DeviceB-radius-imc] key accounting simple expert

# Exclude the ISP domain name from the username sent to the RADIUS server.

[DeviceB-radius-imc] user-name-format without-domain

[DeviceB-radius-imc] quit

# Enable RADIUS session control.

[DeviceB] radius session-control enable

# Create an ISP domain named portal.com and enter its view.

[DeviceB] domain portal.com

# Configure AAA methods for the ISP domain.

[DeviceB-isp-portal.com] authentication portal radius-scheme imc

[DeviceB-isp-portal.com] authorization portal radius-scheme imc

[DeviceB-isp-portal.com] accounting portal radius-scheme imc

[DeviceB-isp-portal.com] quit

# Specify domain portal.com as the default ISP domain. If a user enters the username without the ISP domain name at login, the AAA methods of the default domain are used for the user.

[DeviceB] domain default enable portal.com

# Configure ACL 3000 to permit access only to the Patch/Virus definitions update server and ACL 3001 to permit access to any IP address.

[DeviceB] acl number 3000

[DeviceB-acl-adv-3000] rule permit ip destination 0

[DeviceB-acl-adv-3000] rule deny ip

[DeviceB-acl-adv-3000] quit

[DeviceB] acl number 3001

[DeviceB-acl-adv-3001] rule permit ip

[DeviceB-acl-adv-3001] quit

Configuring the RADIUS, portal, and security policy server

# Configure the RADIUS server and portal server. For more information, see "Configuring the RADIUS and portal server."

# Configure the security policy server. Make sure you specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL.

Verifying the configuration

A user can perform the extended cross-subnet authentication only by using the H3C iNode client.

# Open the iNode client on a host, and create a portal connection. Enter the username and password and click Connect. The user passes the portal authentication.

# On the iNode client, check security check information. The user failed to pass the security check.

# Display portal user information on Device B to verify that ACL 3000 has been deployed to the user.

[DeviceB] display portal user all

Total portal users: 1

Username: portal

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  0015-e9a6-7cfe            11     Vlan-interface11

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: 3000

    Inbound CAR: N/A

    Outbound CAR: N/A

# Update the virus database on the host to meet the security requirement.

# On the iNode client, disconnect the portal connection and then log in again. Check security check information. The iNode client displays that the host successfully passed the security check.

# Display portal user information on Device B to verify that ACL 3001 has been deployed to the portal user.

[DeviceB]display portal user all

Total portal users: 1

Username: portal

  Portal server: newpt

  State: Online

  Authorization ACL: 3001

  VPN instance: N/A

  MAC             IP                    VLAN    Interface

  0015-e9a6-7cfe            11      Vlan-interface11

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: 3001

    Inbound CAR: N/A

    Outbound CAR: N/A

Configuration files

·     Device A:


vlan 2


vlan 11


interface Vlan-interface2

 ip address


interface Vlan-interface11

 ip address


ip route-static 24

ip route-static 24


·     Device B:


vlan 10 to 12


interface Vlan-interface10

 ip address


interface Vlan-interface11

 ip address

portal enable method layer3

portal bas-ip

 portal apply web-server newpt


interface Vlan-interface12

 ip address


ip route-static 24


acl number 3000

 rule 0 permit ip destination 0

 rule 5 deny ip


acl number 3001

 rule 0 permit ip


 radius session-control enable


radius scheme imc

 primary authentication

primary accounting

key authentication cipher $c$3$M30nGDQxiOCAxe2AJ9yEZdk8kjoWag==

key accounting cipher $c$3$M23dGDQxiOCAxe2BJ9yEZdk8kjoWag==

 user-name-format without-domain


domain portal.com

 authentication portal radius-scheme imc

 authorization portal radius-scheme imc

accounting portal radius-scheme imc


 domain default enable portal.com


portal web-server newpt



portal server newpt

 ip key cipher $c$3$r0VxoIiBrpzju9h2akP4TxyknX8VTuYKfA==


Example: Configuring direct portal authentication

Network configuration

As shown in Figure 13, hosts in Department A are directly connected to the device. An IMC server acts as a portal authentication server, a portal Web server, and a RADIUS server. The RADIUS server is used to perform AAA on portal users. In this example, the IMC server runs IMC PLAT 7.0 (E0202) and IMC UAM 7.0 (E0202).

Configure direct portal authentication. The hosts can access only the portal server before passing authentication and can access other network resources after passing authentication.

Figure 13 Network diagram



To enable the device to perform portal authentication through RADIUS, you must complete the following tasks:

·     Configure the portal authentication and Web server, and enable direct portal authentication.

·     Configure the RADIUS scheme. Specify the AAA server for the scheme and apply the scheme to the portal authentication domain.

Applicable hardware and software versions

The following matrix shows the hardware and software versions to which this configuration example is applicable:



Software version

S6812 switch series

S6813 switch series

Release 66xx

S6550XE-HI switch series

Release 6008 and later

S6525XE-HI switch series

Release 6008 and later

S5850 switch series

Release 8005 and later

S5570S-EI switch series

Release 11xx

S5560X-EI switch series

Release 63xx, Release 65xx, Release 66xx

S5560X-HI switch series

Release 63xx, Release 65xx, Release 66xx

S5500V2-EI switch series

Release 63xx, Release 65xx, Release 66xx

MS4520V2-30F switch

Release 63xx, Release 65xx, Release 66xx

MS4520V2-30C switch

MS4520V2-54C switch

Release 65xx, Release 66xx

MS4520V2-28S switch

MS4520V2-24TP switch

Release 63xx

S6520X-HI switch series

S6520X-EI switch series

Release 63xx, Release 65xx, Release 66xx

S6520X-SI switch series

S6520-SI switch series

Release 63xx, Release 65xx, Release 66xx

S5000-EI switch series

Release 63xx, Release 65xx, Release 66xx

MS4600 switch series

Release 63xx, Release 65xx, Release 66xx

ES5500 switch series

Release 63xx, Release 65xx, Release 66xx

S5560S-EI switch series

S5560S-SI switch series

Release 63xx

S5500V3-24P-SI switch

S5500V3-48P-SI switch

Release 63xx

S5500V3-SI switch series (except the S5500V3-24P-SI and S5500V3-48P-SI switches)

Release 11xx

S5170-EI switch series

Release 11xx

S5130S-HI switch series

S5130S-EI switch series

S5130S-SI switch series

S5130S-LI switch series

Release 63xx

S5120V2-SI switch series

S5120V2-LI switch series

Release 63xx

S5120V3-EI switch series

Release 11xx

S5120V3-36F-SI switch

S5120V3-28P-HPWR-SI switch

S5120V3-54P-PWR-SI switch

Release 11xx

S5120V3-SI switch series (except the S5120V3-36F-SI, S5120V3-28P-HPWR-SI, and S5120V3-54P-PWR-SI switches)

Release 63xx

S5120V3-LI switch series

Release 63xx

S3600V3-EI switch series

Release 11xx

S3600V3-SI switch series

Release 11xx

S3100V3-EI switch series

S3100V3-SI switch series

Release 63xx

S5110V2 switch series

Release 63xx

S5110V2-SI switch series

Release 63xx

S5000V3-EI switch series

S5000V5-EI switch series

Release 63xx

S5000E-X switch series

S5000X-EI switch series

Release 63xx

E128C switch

E152C switch

E500C switch series

E500D switch series

Release 63xx

MS4320V2 switch series

MS4320V3 switch series

MS4300V2 switch series

MS4320 switch series

MS4200 switch series

Release 63xx

WS5850-WiNet switch series

Release 63xx

WS5820-WiNet switch series

WS5810-WiNet switch series

Release 63xx

WAS6000 switch series

Release 63xx

IE4300-12P-AC switch

IE4300-12P-PWR switch

IE4300-M switch series

IE4320 switch series

Release 63xx



Configuring the device

# Configure VLAN-interface 10 and VLAN-interface 11, and assign them IP addresses.

<Device> system-view

[Device] vlan 10

[Device-vlan10] quit

[Device] vlan 11

[Device-vlan11] quit

[Device] interface vlan-interface 11

[Device-Vlan-interface11] ip address 24

[Device-Vlan-interface11] quit

[Device] interface vlan-interface 10

[Device-Vlan-interface10] ip address 24

[Device-Vlan-interface10] quit

# Configure the portal authentication server newpt.

[Device] portal server newpt

[Device-portal-server-newpt] ip key simple portal

[Device-portal-server-newpt] port 50100

[Device-portal-server-newpt] quit

# Configure portal Web server newpt. The URL must be the same as the URL configured for the portal page on the portal Web server.

[Device] portal web-server newpt

[Device-portal-websvr-newpt] url

[Device-portal-websvr-newpt] quit

# Enable direct portal authentication on VLAN-interface 11.

[Device] interface Vlan-interface 11

[Device-Vlan-interface11] portal enable method direct

# Configure the BAS-IP as for portal packets sent from VLAN-interface 11 to the portal authentication server.

[Device-Vlan-interface11] portal bas-ip

# Specify portal Web server newpt on VLAN-interface 11.

[Device-Vlan-interface11] portal apply web-server newpt

[Device-Vlan-interface11] quit

# Create a RADIUS scheme named imc and enter its view.

[Device] radius scheme imc

# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the server.

[Device-radius-imc] primary authentication

[Device-radius-imc] primary accounting

[Device-radius-imc] key authentication simple expert

[Device-radius-imc] key accounting simple expert

# Exclude the ISP domain name from the username sent to the RADIUS server.

[Device-radius-imc] user-name-format without-domain

[Device-radius-imc] quit

# Enable the RADIUS session-control feature.

[Device] radius session-control enable

# Create an ISP domain named portal.com and enter its view.

[Device] domain portal.com

# Configure AAA methods for the ISP domain.

[Device-isp-portal.com] authentication portal radius-scheme imc

[Device-isp-portal.com] authorization portal radius-scheme imc

[Device-isp-portal.com] accounting portal radius-scheme imc

[Device-isp-portal.com] quit

# Specify ISP domain portal.com as the default ISP domain. If a user enters the username without the ISP domain name at login, the authentication and accounting methods of the default domain are used for the user.

[Device] domain default enable portal.com

Configuring the RADIUS and portal server

Configure the RADIUS server and portal server. For more information, see "Configuring the RADIUS and portal server."

When you configuring an access device for portal authentication (as shown in Figure 13), select Directly Selected from the Access Method list, and enter in the IP Address field.

Verifying the configuration

A user can perform portal authentication by using the H3C iNode client or through a Web page. This example uses the Web page.

# Access a Web page through a Web browser on a host. You are redirected to the authentication page Enter the username portal and the password 123456 to log in. After passing the authentication, you are redirected to the authentication success page.

# Execute the display portal user command to display portal user information on Device.

[Device] display portal user interface vlan-interface 11

Total portal users: 1

Username: portal

  Portal server: newpt

  State: Online

  VPN instance: N/A

  MAC              IP                Vlan   Interface

  0015-e9a6-7cfe       11     Vlan-interface11

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

Configuration files


vlan 10 to 11


interface Vlan-interface10

 ip address


interface Vlan-interface11

 ip address

 portal enable method direct

 portal bas-ip

 portal apply web-server newpt


radius session-control enable 


radius scheme imc

primary authentication

primary accounting

key authentication cipher $c$3$M30nGDQxiOCAxe2AJ9yEZdk8kjoWag==

key accounting cipher $c$3$M23dGDQxiOCAxe2BJ9yEZdk8kjoWag==

user-name-format without-domain


domain portal.com

 authentication portal radius-scheme imc

 authorization portal radius-scheme imc

accounting portal radius-scheme imc


domain default enable portal.com


portal web-server newpt



portal server newpt

 ip key cipher $c$3$r0VxoIiBrpzju9h2akP4TxyknX8VTuYKfA==



  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us