NGFW portal authentication experiment

Catalog

The topology

Experimental instructions

Basic configuration

Firewall configuration

test

To configure Portal authentication

test

The topology

Experimental instructions

• Intranet allowed Web Gateway host uses firewall G1/0/0 Interface login management firewall
• Configure on the firewall SNAT,Client Use public address 202.1.1.1-202.1.1.5 Visit the Internet
• Intranet Client visit Telnet Server It needs to be done first Portal authentication , After certification , To allow Client Visit the Internet

Basic configuration

• Web The network management host uses a physical machine ,VMnet1 NIC IP The address is configured to 192.168.43.1/24, Gateway is 192.168.43.254

• Client Use VMware in Win10 virtual machine , The network card uses host only mode , Connect to VMnet1 NIC

• Cloud To configure

• Basic firewall configuration
  • Configure interface IP Address , Gateway services that allow interfaces
  • Configure the default route

• Telnet Server Basic configuration
  • Configure interface IP Address , Configure backhaul static routing
  • To configure Telnet User password and user login permission of the service

Firewall configuration

• To configure NAT Address pool , And configuration NAT Strategy

• Configure security policy , release trust Area to untrust Regional Telnet service

test

• stay Client Upper use telnet 2.2.2.2, Test whether you can login to Telnet Server
  • View the session table entry of the firewall

• Client Normal access Tenlet Server
• The firewall is right Client The private network address of has been converted

To configure Portal authentication

• Web Log in to the firewall management page , Configure authentication policy

• New user group , Create a new user to belong to this user group

• Configure authentication options . The ports used can be configured 、 Whether the user's password needs to be modified after logging in 、Portal Authentication page customization and other functions

• Configuration allowed Portal Security policy of message passing through firewall
  • Portal The default is TCP Of 8887 port

• Because the interface of the firewall returns to Client Of Portal Authentication page , The interface of firewall belongs to Local Regional , So the destination area is selected Local

test

• stay Client On , Use the browser to trigger HTTP Online behavior , Check to see if there is Portal Authentication page push

• Because there is no DNS Domain name resolution , So just use one IP Address , Visit , Trigger HTTP net flow
• Use http://1.1.1.1 Will push the login page of the firewall

• You can receive messages pushed by the firewall Portal Authentication page

• Use the created user , Log on to the test

• Login successful ！

• Re in Client Try to login to Telnet Server

• Login successful ！

• View the session table entries and online users on the firewall

• You can see Telnet Session table entry . Online user information , You can also see the login information of the user 、 Group to which you belong 、 Authentication method and other information

• Force users to offline on the firewall , Check whether you can still log in Telnet Server

• Login failed ！