H3C对接外部Portal+Radius认证计费系统实现mac-trigger快速认证Mac无感知认证并结...

H3C对接外部Portal认证+Radius认证计费系统平台

实现基于mac-trigger快速认证协议的Mac无感知认证功能

并结合L2TP实现阿里云部署

实现AD域LDAP对接，实现用户名密码实名认证、访客短信认证、二维码扫码认证、钉钉授权认证、来宾身份证刷卡快速开户，双因子、多因子认证等功能
需求：
        H3C-WX2510H可作为PPPoe拨号、专线连接的出口网关，并且该设备支持L2TP（拨号或者多拨动态IP网络环境下实现云认证计费服务部署模式），该设备支持mac-trigger协议的MAC快速无感知认证+Portal认证，支持CMCC协议模式和IMC协议模式，支持基于VAP限速和vcl策略下发应用。

具体拓扑如下：

设备配置：

******************************************************************************

* Copyright (c) 2004-2018 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

login: admin

Password:

<H3C-WX2510H>sys

System View: return to User View with Ctrl+Z.

[H3C-WX2510H]dis cur

#

version 7.1.064, Release 5226

#

sysname H3C-WX2510H

#

telnet server enable

#

dialer-group 1 rule ip permit

#

dhcp enable

#

password-recovery enable

#

vlan 1

#

vlan 100

#

vlan 200

#

dhcp server ip-pool wlan

gateway-list 172.16.0.1

network 172.16.0.0 mask 255.255.255.0

dns-list 114.114.114.114 202.98.192.67

forbidden-ip 172.16.0.1

forbidden-ip 172.16.0.10

#

interface Dialer0

ppp chap password cipher $c$3$MnsrYXKEg3UAugDLYToYM+rvweSIr2YBdw==

ppp chap user 0851xxxxxxxx

dialer bundle enable

dialer-group 1

dialer timer idle 0

dialer timer autodial 60

ip address ppp-negotiate

nat outbound

#

interface Virtual-PPP1

ppp chap password cipher $c$3$hgiYV2peyVHqfHszwP0PeYvpne1lIQ==

ppp chap user xxxxxxxx

ip address ppp-negotiate

l2tp-auto-client l2tp-group 1

#

interface NULL0

#

interface Vlan-interface100

ip address 192.168.0.20 255.255.255.0

nat outbound  

undo dhcp select server

#

interface Vlan-interface200

ip address 172.16.0.1 255.255.255.0

dhcp server apply ip-pool wlan

portal enable method direct

portal domain v5

portal bas-ip 10.0.0.100

portal fail-permit server v5

portal apply web-server v5

portal apply mac-trigger-server v5

portal fail-permit web-server

portal outbound-filter enable

#

interface GigabitEthernet1/0/5

port link-mode route

description wan

shutdown

pppoe-client dial-bundle-number 0

#

interface GigabitEthernet1/0/1

port link-mode bridge

port link-type hybrid

undo port hybrid vlan 1

port hybrid vlan 200 untagged

port hybrid pvid vlan 200

#

interface GigabitEthernet1/0/2

port link-mode bridge

port access vlan 100

#

interface GigabitEthernet1/0/3

port link-mode bridge

port access vlan 100

#

interface GigabitEthernet1/0/4

port link-mode bridge

port access vlan 100

#

scheduler logfile size 16

#

line class console

user-role network-admin

#

line class vty

user-role network-operator

#

line con 0

user-role network-admin

#

line vty 0 31

authentication-mode scheme

user-role network-operator

#

ip route-static 0.0.0.0 0 192.168.0.254

ip route-static 0.0.0.0 0 Dialer0 preference 100

ip route-static 10.0.0.1 32 Virtual-PPP1

#

undo info-center logfile enable

#

acl advanced 3000

rule 0 deny ip destination 114.114.114.114 0

rule 10 permit ip

#

radius session-control enable

radius nas-ip 192.168.0.20

#

radius scheme portal

primary authentication 192.168.0.1

primary accounting 192.168.0.1

key authentication cipher $c$3$luljjvSNrw/TiOjAFHbig+9EmAtbbSy/Ow==

key accounting cipher $c$3$2QBlzJAD/HaBi3qkXtkZ5aqfSXwq6eVObg==

timer realtime-accounting 5

user-name-format without-domain

nas-ip 192.168.0.20

#

radius scheme v5

primary authentication 10.0.0.1

primary accounting 10.0.0.1

key authentication cipher $c$3$gkLbvh+cFPOjtAYvqTzGIpQDlUkUqFTtww==

key accounting cipher $c$3$1G2kuCiURMD6ywMsvhnznS3K8KIVYhViRQ==

timer realtime-accounting 5

user-name-format without-domain

nas-ip 10.0.0.100

#

radius dynamic-author server

client ip 192.168.0.1 key cipher $c$3$ZritD/wSB3Dx8xkoJqDXOuuc0izCVlfsvQ==

client ip 10.0.0.1 key cipher $c$3$imaB4mamtOkg0YB8nPzyA6RJ0HJg5htCYA==

#

domain portal

authorization-attribute idle-cut 600 10240

authentication portal radius-scheme portal

authorization portal radius-scheme portal

accounting portal radius-scheme portal

#

domain system

#

domain v5

authorization-attribute idle-cut 600 10240

authentication portal radius-scheme v5

authorization portal radius-scheme v5

accounting portal radius-scheme v5

#

domain default enable system

#

role name level-0

description Predefined level-0 role

#

role name level-1

description Predefined level-1 role

#

role name level-2

description Predefined level-2 role

#

role name level-3

description Predefined level-3 role

#

role name level-4

description Predefined level-4 role

#

role name level-5

description Predefined level-5 role

#

role name level-6

description Predefined level-6 role

#

role name level-7

description Predefined level-7 role

#

role name level-8

description Predefined level-8 role

#

role name level-9

description Predefined level-9 role

#

role name level-10

description Predefined level-10 role

#              

role name level-11

description Predefined level-11 role

#

role name level-12

description Predefined level-12 role

#

role name level-13

description Predefined level-13 role

#

role name level-14

description Predefined level-14 role

#

user-group system

#

local-user admin class manage

password hash $h$6$V6l15zHsaTdPV4Et$mYd9zqUrfLD/gay4+cnAkQGdlh0BbYKYWgVNgVGR9IL9CwR5ueibOiXVom1E5/ZbZMR7tEHpz2Iil+0tcj3CIw==

service-type telnet http https

authorization-attribute user-role network-admin

#

l2tp-group 1 mode lac

lns-ip 39.108.188.100

undo tunnel authentication

#              

l2tp enable

#

portal nas-port-id format 4

portal host-check enable

portal free-rule 0 source ip 192.168.0.1 255.255.255.255 destination ip any

portal free-rule 1 source ip any destination ip 192.168.0.1 255.255.255.255

portal free-rule 10 source ip 114.114.114.114 255.255.255.255 destination ip any

portal free-rule 11 source ip any destination ip 114.114.114.114 255.255.255.255

portal free-rule 12 source ip 118.118.118.9 255.255.255.255 destination ip any

portal free-rule 13 source ip any destination ip 118.118.118.9 255.255.255.255

portal free-rule 14 source ip 118.118.118.7 255.255.255.255 destination ip any

portal free-rule 15 source ip any destination ip 118.118.118.7 255.255.255.255

portal free-rule 16 source ip 202.98.198.167 255.255.255.255 destination ip any

portal free-rule 17 source ip any destination ip 202.98.198.167 255.255.255.255

portal free-rule 18 source ip 202.98.192.67 255.255.255.255 destination ip any

portal free-rule 19 source ip any destination ip 202.98.192.67 255.255.255.255

portal free-rule 20 source ip 39.108.188.100 255.255.255.255 destination ip any

portal free-rule 21 source ip any destination ip 39.108.188.100 255.255.255.255

#

portal web-server portal

url http://192.168.0.1/html_phone_all/index.html

server-detect interval 60 retry 2 trap

server-type cmcc

url-parameter basip value 192.168.0.20

url-parameter mac source-mac

url-parameter url original-url

url-parameter vlan vlan

url-parameter wlanuserip source-address

#

portal web-server v5

url https://portal.openportal.com.cn/index_choose

server-type cmcc

url-parameter basip value 10.0.0.100

url-parameter mac source-mac

url-parameter url original-url

url-parameter vlan vlan

url-parameter wlanuserip source-address

#

portal server portal

ip 192.168.0.1 key cipher $c$3$btxt8S1jS5tOQlrl+xVpvuaJFUJJLITTlg==

server-detect trap

server-type cmcc

#

portal server v5

ip 10.0.0.1 key cipher $c$3$Tru54pt2cHm4xVo17Vl+bdJ3epbN6GO3Vw==

server-type cmcc

#

ip http enable

ip https enable

#

portal mac-trigger-server portal

ip 192.168.0.1 key cipher $c$3$T6WO1a9vipUaJJbV6jZgkSAFnKnxJTvJEA==

server-type cmcc

binding-retry 1

aaa-fail nobinding enable

#

portal mac-trigger-server v5

ip 10.0.0.1 key cipher $c$3$gT5/4cnmESqMniE2zxUQlu2sKswhntmM7A==

server-type cmcc

binding-retry 1

aaa-fail nobinding enable

#

wlan global-configuration

#

wlan ap-group default-group

vlan 1

#

return

介绍：

        OpenPortal网络准入认证计费，支持与H3C所有支持Portal认证的AC控制器如WX2510H WX3540H WX6108等，以及所有支持Portal认证的三层交换机如S12708 S5560 7506 7706等，以及所有支持Portal认证的接入路由防火墙H3C ICG2000B，以及多业务网关BRAS设备进行对接。

        包含Portal协议认证系统+Radius AAA认证计费授权系统，支持CMCC V1 V2协议标准，华为Portal协议V1 V2等，支持Radius协议RFC2865，RFC2866标准，支持CMCC标准mac-trigger协议和mac auth标准的MAC优先的MAC快速认证、无感知认证，支持限速策略下发、ACL下发、ip-pool下发等一系列接入策略配置，支持同H3C设备、华为设备间Portal心跳检测保活机及逃生功能。

        支持用户名密码认证、短信认证、钉钉授权认证、微信认证、公众号认证、答题认证、视频倒计时认证、人脸识别认证、访客二维码授权认证、LDAP AD域结合认证、第三方OA系统扩展认证等等各种认证模式，支持二次代拨认证等技术，支持用户自助注册，自行选择计费套餐进行支付宝、微信自助缴费等。

H3C-WX2510H系列AC控制器对接第三方portal认证可看下述文章

H3C-WX2510H对接OpenPortal网络准入认证计费系统实现Mac快速认证+Portal认证_OpenPortal网络接入Web认证-CSDN博客

华为AC6605系列AC控制器对接第三方portal认证可看下述文章

华为AC6605对接OpenPortal网络准入认证计费系统实现Mac快速认证+Portal认证_OpenPortal网络接入Web认证-CSDN博客