154
2.
Configure an authentication domain.
# Create an ISP domain named
dm1
and enter its view.
[RouterA] domain dm1
# Configure AAA methods for the ISP domain.
[RouterA-isp-dm1] authentication portal radius-scheme rs1
[RouterA-isp-dm1] authorization portal radius-scheme rs1
[RouterA-isp-dm1] accounting portal radius-scheme rs1
[RouterA-isp-dm1] quit
# Configure
dm1
as the default ISP domain for all users. Then, if a user enters a username without any
ISP domain at logon, the authentication and accounting methods of the default domain are used for the
user.
[RouterA] domain default enable dm1
3.
Configure the ACL (ACL 3000 ) for resources on subnet 192.168.0.0/24 and the ACL (ACL 3001)
for Internet resources.
NOTE:
On the security policy server, specify ACL 3000 as the isolation ACL and ACL 3001 as the security
ACL.
[RouterA] acl number 3000
[RouterA-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255
[RouterA-acl-adv-3000] rule deny ip
[RouterA-acl-adv-3000] quit
[RouterA] acl number 3001
[RouterA-acl-adv-3001] rule permit ip
[RouterA-acl-adv-3001] quit
4.
Configure extended portal authentication.
# Configure the portal server as needed:
[RouterA] portal server newpt ip 192.168.0.111 key portal port 50100 url
http://192.168.0.111:8080/portal
# Enable portal authentication on the interface connecting Router B.
[RouterA] interface gigabitethernet 1/0/2
[RouterA–Gigabitethernet1/0/2] portal server newpt method layer3
[RouterA–Gigabitethernet1/0/2] quit
On Router B, configure a default route to subnet 192.168.0.0/24, setting the next hop as 20.20.20.1.
The configuration steps are omitted.
Configuring portal stateful failover
Network requirements
As shown in
, a failover link is present between Router A and Router B. Both Router A and
Router B support portal authentication. Configure stateful failover between Router A and Router B to
support portal service backup and use VRRP to implement traffic switchover between the routers. More
specifically: