2024年1月19日发(作者:茆雪卉)
OpenPortalServer开源Portal协议WEB认证服务器
作者:LeeSon
QQ:25901875
E-Mail:LeeSon@
OpenPortal官方交流群 119688084
该软件是基于华为AC/BAS PORTAL协议的服务端程序,Java编写,开源。
最新源代码下载地址:/lishuocool /SoftLeeSon/
支持Huawei H3C Portal V1 V2协议PAP CHAP认证方式的Portal服务器
-------------------------------------------------------------------------------------------
新手安装配置说明:
-------------------------------------------------------------------------------------------
windows环境下:
1.首先保证已有JDK1.7环境,MySQL环境 ,tomcat7
2.解压路径无中文及空格
3.配置文件说明 ties
首先修改该数据库配置文件
创建openportalserver数据库 UTF-8字符集
导入数据库文件
后台账号:admin 密码:admin
4.配置AC设备 安装和配置Radius服务
如果使用AC模拟器进行模拟测试则可忽略这步
如果使用页面展示、本地接入用户认证方式 不用配置radius
5.运行 bin/ 快捷方式
6.浏览器服务器IP
7.如果使用AC模拟器测试用户名密码随意 如果真实环境(不用我废话了)
-------------------------------------------------------------------------------------------
Linux环境: 安装jdk1.7 mysql tomcat7 将解压目录下的webapps目录替换
对接配置说明:
超时设置 3-5秒
日志记录 是否输出详细日志到文件
验证码设置 是否开启用户登陆的验证码
用户心跳 是否进行用户离线检测
超时重复次数 一次检查周期内 用户在线检测超时几次算已经下线
计费检测周期 间隔多长时间检测一次用户是否在线,余额是否够
认证方式 页面展示,本地接入用户,外接radius
自助注册开关 是否允许自助注册接入用户,默认每个新用户给10分钟的时长
设备账号 对应设备的local-user用户账号密码,在本地接入用户和页面展示 认证方式时必须配置,而且设备用默认domain
设备密码 对应设备的local-user用户账号密码,在本地接入用户和页面展示 认证方式时必须配置,而且设备用默认domain
-------------------------------------------------------------------------------------------
本地用户认证模式则 下面交换机不用设置[SWITCH] domain 设备账号密码就是交换机的账号密码
-------------------------------------------------------------------------------------------
以华为S5700交换机为例,配置信息详细说明:
交换机配置如下配置步骤
步骤 1
创建 VLAN 并配置接口允许通过的 VLAN,保证网络通畅。
# 创建 VLAN10 和 VLAN20。
[SWITCH] vlan batch 10 20
# 配置交换机连接上行网络的接口 E0/0/1 为 Access 类型接口,并将 GE0/0/1 加入
VLAN20。
[SWITCH] interface Ethernet0/0/1
[SWITCH-Ethernet0/0/2] port link-type access
[SWITCH-Ethernet0/0/2] port default vlan 20
[SWITCH-Ethernet0/0/2] quit
# 配置交换机连接 RADIUS 和 portalServer 的接口 E0/0/2 为Access 类型接口,并
将 GE0/0/2 加入 VLAN20。
[SWITCH] interface Ethernet0/0/2
[SWITCH-Ethernet0/0/2] port link-type access
[SWITCH-Ethernet0/0/2] port default vlan 20
[SWITCH-Ethernet0/0/2] quit
# 创建 VLANIF10 和 VLANIF20,并配置VLANIF 的 IP 地址,以使用户终端、Switch、
企业内网资源之间能够建立起路由。此处假设 VLANIF10 的 IP 地址为192.168.10.20/24;
VLANIF20 的 IP 地址为 192.168.20.29/24。
[SWITCH] interface vlanif 10
[SWITCH-Vlanif10] ip address 192.168.10.20 24 //10.1
[SWITCH] interface vlanif 20
[SWITCH-Vlanif20] ip address 192.168.0.1 24 //0.1
[SWITCH-Vlanif20] quit
步骤 2
创建并配置 RADIUS 服务器模板、AAA 方案以及认证域。
# 创建并配置 RADIUS 服务器模板“rd1”。
[SWITCH] radius-server template rd1
[SWITCH-radius-rd1] radius-server authentication 192.168.0.2 1812
[SWITCH-radius-rd1] radius-server accounting 192.168.0.2 1813
[SWITCH-radius-rd1] radius-server shared-key simple leeson
[SWITCH-radius-rd1] radius-server retransmit 2
[SWITCH-radius-rd1] quit
# 创建 AAA 方案“abc”并配置认证方式为 RADIUS。
[SWITCH] aaa
[SWITCH-aaa] authentication-scheme abc
[SWITCH-aaa-authen-abc] authentication-mode radius
[SWITCH-aaa-authen-abc] quit
[SWITCH-aaa] accounting-scheme acc
[SWITCH-aaa-acc-abc] accounting-mode radius
[SWITCH-aaa-acc-abc] quit
# 创建认证域“”,并在其上绑定AAA 方案“abc”与RADIUS 服务器模板“rd1”。
[SWITCH-aaa] domain
[SWITCH-aaa-domain-isp1] authentication-scheme abc
[SWITCH-aaa-domain-isp1] accounting-scheme acc
[SWITCH-aaa-domain-isp1] radius-server rd1
[SWITCH-aaa-domain-isp1] quit
[SWITCH-aaa] quit
# 配置全局默认域为“”。用户进行接入认证时,以格式“user@”输
入用户名即可在 域下进行 aaa 认证。如果用户名中不携带域名或携带的域名
不存在,用户将会在默认域中进行认证。
[SWITCH] domain
步骤 3
配置外部 Portal 认证
# 创建并配置名称为“abc”的 Portal 服务器模板。
[SWITCH] web-auth-server abc
[SWITCH -web-auth-server-abc] server-ip 192.168.0.2
[SWITCH -web-auth-server-abc] port 50100
[SWITCH -web-auth-server-abc] shared-key simple leeson
[SWITCH -web-auth-server-abc] url 192.168.0.2
[SWITCH -web-auth-server-abc] quit
# 使能 Portal 认证功能。
[SWITCH] interface vlanif 10
[SWITCH -Vlanif10] web-auth-server abc direct
[SWITCH -Vlanif10] quit
步骤 4
查看配置的 Portal 服务器的参数信息。
# 执行命令 display web-auth-server configuration 查看 Portal 服务器相关的
配置信息。
Listening port : 2000
Portal : version 1, version 2
Include reply message : enabled
-----------------------------------------------------------------------
- Web-auth-server Name : abc
IP-address : 192.168.20.30
Shared-key : %$%$]$c{$)Bp!XFdN>G2DBG(T#wn%$%$
Port / PortFlag : 50100 / NO
URL : 192.168.0.2
Bounded Vlanif : 10
-----------------------------------------------------------------------
- 1 Web authentication server(s) in total
步骤 5
在交换机上添加默认路由:ip route-static 0.0.0.0 0.0.0.0 192.168.0.1
其中 192.168.0.1为交换机上行端口的网关地址
步骤 6
配置 portal 白名单
portal free-rule 0 destination ip 192.168.0.1 mask 255.255.255.255
portal free-rule 1 destination ip 192.168.0.2 mask 255.255.255.255
portal free-rule 2 destination ip mask 255.255.255.255
其中的 为用户认证之后上网所需的 DNS 地址,实际以真实网络环境中的
DNS为准
//排除网关 PORTAL服务器 Radius服务器 DNS
可选配置:
接口视图下(vlan-if,ge):dhcp select relay
# 使能接口VLANIF100的DHCP Relay功能。
[HUAWEI] dhcp enable
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] dhcp select relay
#Portal用户下线探测
portal timer offline-detect命令用来配置Portal认证用户下线探测周期。
undo portal timer offline-detect命令用来恢复下线探测周期的缺省值。
缺省情况下,下线探测周期为300秒。
注意:portal timer offline-detect命令功能仅适用于二层Portal认证方式。
-------------------------------------------------------------------------------------------------------
OpenPortalServer对接 华为S5700配置
[Quidway]dis cur
#
!Software Version V200R001C00SPC300
sysname Quidway
#
vlan batch 10 100
#
web-auth-server version v2
portal free-rule 2 source ip 10.0.0.100 mask 255.255.255.255
portal free-rule 3 destination ip 10.0.0.100 mask 255.255.255.255
portal free-rule 4 destination ip 10.0.0.1 mask 255.255.255.255
portal free-rule 5 source ip 10.0.0.1 mask 255.255.255.255
portal free-rule 6 source ip 192.168.100.1 mask 255.255.255.255
portal free-rule 7 destination ip 192.168.100.1 mask 255.255.255.255
#
domain
#
http server load
#
undo nap slave enable
#
dhcp enable
#
radius-server template leeson
radius-server shared-key simple leeson
radius-server authentication 10.0.0.100 1812
radius-server accounting 10.0.0.100 1813
radius-server retransmit 2
#
web-auth-server leeson
server-ip 10.0.0.100
port 50100
shared-key simple leeson
url 10.0.0.100/OpenPortalServer
source-ip 10.0.0.1
#
aaa
authentication-scheme default
authentication-scheme leeson
authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme leeson
accounting-mode radius
domain default
domain default_admin
domain
authentication-scheme leeson
accounting-scheme leeson
radius-server leeson
local-user admin password cipher %$%$03~N$}rD0X}s=D%#SD-/ybYP%$%$
local-user admin privilege level 15
local-user admin service-type http
local-user leeson password cipher %$%$3.-^M/J1RB:MO{"t&bDyeS%$%$
local-user leeson privilege level 15
#
interface Vlanif1
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
web-auth-server leeson direct
#
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
web-auth-server leeson direct
dhcp select interface
-------------------------------------------------------------------------------------------
H3C-MSR830-10对接OpenPortal配置
portal server cbqt_wifi_pts ip 192.168.1.250 key cipher
$c$3$WcdcTvygU/tgJgwXYIR72l92h8HoFlyWoCFi8RS2Cj1goAg= url
192.168.1.250:8081/portal server-type imc
portal free-rule 0 source ip any destination ip 114.114.114.114 mask 255.255.255.255
portal free-rule 1 source ip any destination ip 192.168.1.254 mask 255.255.255.255
portal free-rule 2 source ip any destination ip 192.168.70.254 mask 255.255.255.255
portal free-rule 3 source ip any destination ip 192.168.1.250 mask 255.255.255.255
portal server cbqt_wifi_pts server-detect method http action permit-all interval 600 retry 5
interface Vlan-interface70
ip address 192.168.70.254 255.255.255.0
dhcp select relay
dhcp relay server-select 1
portal server cbqt_wifi_pts method direct
ip policy-based-route WAN-TAIQIU
radius scheme cbqt_wifi_rs
server-type extended
primary authentication 192.168.1.250
primary accounting 192.168.1.250
key authentication cipher $c$3$Jb32HhDG0KQEFUJK/ie49Sc5ARR1gBavK0rY+MOwlhSU=
key accounting cipher $c$3$nG1DwgslbalnXYZul3aAOdVU8ro2+/cWK4Oi6adZw/Rv5ZM=
user-name-format without-domain
#
domain cbqt_wifi_dm
authentication portal radius-scheme cbqt_wifi_rs
authorization portal radius-scheme cbqt_wifi_rs
accounting portal radius-scheme cbqt_wifi_rs
access-limit disable
state active
idle-cut disable
self-service-url disable
H3C-MSR对接配置
[BEGIN] 2015/8/12 13:13:39
#
version 5.20, Release 2311
#
sysname H3C-MSR
#
ftp server enable
#
l2tp enable
#
firewall enable
#
nat address-group 1
nat aging-time udp 180
#
domain default enable system
#
dar p2p signature-file flash:/p2p_
#
lldp enable
#
qos carl 1 destination-ip-address range 192.169.0.31 to 192.169.0.254 per-address share
d-bandwidth
qos carl 10 source-ip-address range 192.169.0.31 to 192.169.0.254 per-address shared-ba
ndwidth
#
portal server portal ip 192.169.0.20 key cipher $c$3$tmKimwpWYurgJSFeXElUKoFApV9rMZ6xfw
== url 192.169.0.20:8080
portal free-rule 0 source ip any destination ip 218.201.4.3 mask 255.255.255.255
portal free-rule 1 source ip any destination ip 192.169.0.20 mask 255.255.255.255
portal server portal server-detect method http action permit-all interval 60 retry 5
#
ip http port 9000
#
blacklist enable
#
acl number 3000
rule 0 permit ip source 192.169.0.0 0.0.15.255
rule 1 permit ip source 192.169.101.0 0.0.0.255
rule 100 deny ip
acl number 3002 name LAN-Defend
rule 0 deny tcp destination-port eq 135
rule 1 deny udp destination-port eq 135
rule 2 deny tcp destination-port eq 139
rule 3 deny udp destination-port eq netbios-dgm
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-ssn
rule 6 deny tcp destination-port eq 137
rule 7 deny tcp destination-port eq 138
rule 8 deny udp destination-port eq 136
rule 200 permit icmp
rule 300 permit ip source 192.169.0.0 0.0.15.255
rule 301 permit ip source 192.169.101.0 0.0.0.255
rule 302 permit ip source 192.169.99.0 0.0.0.7
rule 303 permit udp destination-port eq bootps
rule 400 deny ip
acl number 3003 name WAN-Defend
rule 0 deny tcp destination-port eq 135
rule 1 deny udp destination-port eq 135
rule 2 deny udp destination-port eq netbios-dgm
rule 3 deny udp destination-port eq netbios-ns
rule 4 deny udp destination-port eq netbios-ssn
rule 5 deny tcp destination-port eq 139
rule 6 deny tcp destination-port eq 137
rule 7 deny tcp destination-port eq 138
rule 8 deny udp destination-port eq 136
rule 300 permit udp source-port eq dns
rule 400 permit ip destination 192.169.0.0 0.0.15.255
rule 401 permit ip destination 192.169.101.0 0.0.0.255
rule 402 permit ip destination 192.169.99.0 0.0.0.7
rule 403 permit tcp destination-port eq 22
rule 404 permit tcp destination-port eq www
rule 405 permit tcp destination-port eq 443
rule 406 permit udp destination-port eq 1701
rule 407 deny ip
acl number 3100
description inside access domain-server
rule 10 deny ip source 192.169.10.0 0.0.0.255
rule 11 deny ip source 192.169.11.0 0.0.0.255
rule 12 deny ip source 192.169.12.0 0.0.0.255
rule 13 deny ip source 192.169.13.0 0.0.0.255
rule 14 deny ip source 192.169.14.0 0.0.0.255
rule 15 deny ip source 192.169.15.0 0.0.0.255
rule 100 permit ip source 192.169.0.0 0.0.15.255 destination 192.169.0.20 0
rule 1000 deny ip
#
#
vlan 1
#
radius scheme radius
primary authentication 192.169.0.20 1645 key cipher $c$3$pBtH9ea/vw5AfpLwHPg20KlJE1fGRK
NHJw==
primary accounting 192.169.0.20 1646 key cipher
$c$3$iZTSbzm+q0xelQbsrxER90iYAQKV6aORPA
==
timer realtime-accounting 3
#
domain portal
authentication portal radius-scheme radius local
authorization portal radius-scheme radius local
accounting portal radius-scheme radius local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain pppoe
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 3 192.169.101.2 192.169.101.254
domain pppoe-server-10
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 10 192.169.10.2 192.169.10.254
domain pppoe-server-11
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 11 192.169.11.2 192.169.11.254
domain pppoe-server-12
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 12 192.169.12.2 192.169.12.254
domain pppoe-server-13
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 13 192.169.13.2 192.169.13.254
domain pppoe-server-14
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 14 192.169.14.2 192.169.14.254
domain pppoe-server-15
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 15 192.169.15.2 192.169.15.254
domain system
authentication ppp local
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 2 192.169.99.2 192.169.99.10
#
pki entity ssl
common-name ssl
organization-unit xxzx
organization gxgs
locality chongqing
state chongqing
country cn
#
pki domain ssl
ca identifier ssl
certificate request from ra
certificate request entity ssl
crl check disable
#
dhcp server ip-pool 1
network 192.169.0.0 mask 255.255.255.0
gateway-list 192.169.0.1
dns-list 218.201.4.3 218.201.17.2
expired day 5
#
dhcp server ip-pool vlan-10
network 192.169.10.0 mask 255.255.255.0
gateway-list 192.169.10.1
dns-list 218.201.4.3 218.201.21.132
#
dhcp server ip-pool vlan-11
network 192.169.11.0 mask 255.255.255.0
gateway-list 192.169.11.1
dns-list 218.201.4.3 218.201.21.132
#
dhcp server ip-pool vlan-12
network 192.169.12.0 mask 255.255.255.0
gateway-list 192.169.12.1
dns-list 218.201.4.3 218.201.21.132
#
dhcp server ip-pool vlan-13
network 192.169.13.0 mask 255.255.255.0
gateway-list 192.169.13.1
dns-list 218.201.4.3 218.201.21.132
#
dhcp server ip-pool vlan-14
network 192.169.14.0 mask 255.255.255.0
gateway-list 192.169.14.1
dns-list 218.201.4.3 218.201.21.132
#
dhcp server ip-pool vlan-15
network 192.169.15.0 mask 255.255.255.0
gateway-list 192.169.15.1
dns-list 218.201.4.3 218.201.21.132
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$OPmwVHESNbfHNXczEeMcdq2DmRDCR7kmS/E=
authorization-attribute level 3
service-type ssh terminal
service-type ftp
service-type web
local-user dot1x
password cipher $c$3$nWqagHMVZB63q5qHyLqXBdUlHB39vQ2RPnE=
service-type lan-access
local-user h3c
password cipher $c$3$ZHwyfLAqYN93aNiWN5J8OHGVh3EAgA==
service-type ppp
service-type portal
#
ssl server-policy sslvpn
pki-domain ssl
#
cwmp
undo cwmp enable
#
l2tp-group 1
allow l2tp virtual-template 1
tunnel name LNS
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Cellular0/0
async mode protocol
link-protocol ppp
#
interface Ethernet0/0
port link-mode route
pppoe-server bind Virtual-Template 2
#
interface Ethernet0/1
port link-mode route
firewall packet-filter 3003 inbound
nat outbound 3000 address-group 1
ip address
dar enable
qos car inbound carl 1 cir 1600 cbs 100000 ebs 0 green pass red discard
qos car outbound carl 10 cir 400 cbs 25000 ebs 0 green pass red discard
#
interface Ethernet0/2
port link-mode route
speed 100
#
interface Ethernet0/2.10
vlan-type dot1q vid 10
nat outbound 3100
ip address 192.169.10.1 255.255.255.0
#
interface Ethernet0/2.11
vlan-type dot1q vid 11
nat outbound 3100
ip address 192.169.11.1 255.255.255.0
#
interface Ethernet0/2.12
vlan-type dot1q vid 12
nat outbound 3100
ip address 192.169.12.1 255.255.255.0
#
interface Ethernet0/2.13
vlan-type dot1q vid 13
nat outbound 3100
ip address 192.169.13.1 255.255.255.0
#
interface Ethernet0/2.14
vlan-type dot1q vid 14
ip address 192.169.14.1 255.255.255.0
#
interface Ethernet0/2.15
vlan-type dot1q vid 15
nat outbound 3100
ip address 192.169.15.1 255.255.255.0
#
interface Ethernet0/2.20
vlan-type dot1q vid 20
nat outbound 3100
ip address 192.169.20.1 255.255.255.0
portal server portal method direct
#
interface Serial1/0
link-protocol ppp
#
interface Serial1/1
link-protocol ppp
#
interface Virtual-Template1
ppp authentication-mode chap domain system
remote address pool 2
ip address 192.169.99.1 255.255.255.0
#
interface Virtual-Template2
ppp authentication-mode chap domain pppoe
ppp account-statistics enable
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.21.132
remote address pool 3
ip address 192.169.101.1 255.255.255.0
#
interface Virtual-Template10
ppp authentication-mode chap domain pppoe-server-10
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 10
#
interface Virtual-Template11
ppp authentication-mode chap domain pppoe-server-11
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 11
#
interface Virtual-Template12
ppp authentication-mode chap domain pppoe-server-12
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 12
#
interface Virtual-Template13
ppp authentication-mode chap domain pppoe-server-13
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 13
#
interface Virtual-Template14
ppp authentication-mode chap domain pppoe-server-14
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 14
#
interface Virtual-Template15
ppp authentication-mode chap domain pppoe-server-15
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 15
#
interface NULL0
#
interface Vlan-interface1
ip address 192.169.0.1 255.255.255.0
undo ip fast-forwarding
nat outbound 3100
firewall packet-filter 3002 inbound
firewall packet-filter 4000 inbound
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
dhcp-snooping
#
ssl-vpn server-policy sslvpn
ssl-vpn enable
#
#
info-center loghost 192.169.0.6 facility local6
#
dhcp server forbidden-ip 192.169.10.1 192.169.10.10
dhcp server forbidden-ip 192.169.11.1 192.169.11.10
dhcp server forbidden-ip 192.169.12.1 192.169.12.10
dhcp server forbidden-ip 192.169.13.1 192.169.13.10
dhcp server forbidden-ip 192.169.14.1 192.169.14.10
dhcp server forbidden-ip 192.169.15.1 192.169.15.10
dhcp server forbidden-ip 192.169.0.1 192.169.0.30
dhcp server detect
#
dhcp enable
#
ntp-service unicast-server 202.112.10.60
#
ssh server enable
ssh user admin service-type stelnet authentication-type password
#
arp timer aging 10
#
load xml-configuration
#
load tr069-configuration
#
user-interface tty 12
user-interface aux 0
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
#
return
[END] 2015/8/12 13:16:01
2024年1月19日发(作者:茆雪卉)
OpenPortalServer开源Portal协议WEB认证服务器
作者:LeeSon
QQ:25901875
E-Mail:LeeSon@
OpenPortal官方交流群 119688084
该软件是基于华为AC/BAS PORTAL协议的服务端程序,Java编写,开源。
最新源代码下载地址:/lishuocool /SoftLeeSon/
支持Huawei H3C Portal V1 V2协议PAP CHAP认证方式的Portal服务器
-------------------------------------------------------------------------------------------
新手安装配置说明:
-------------------------------------------------------------------------------------------
windows环境下:
1.首先保证已有JDK1.7环境,MySQL环境 ,tomcat7
2.解压路径无中文及空格
3.配置文件说明 ties
首先修改该数据库配置文件
创建openportalserver数据库 UTF-8字符集
导入数据库文件
后台账号:admin 密码:admin
4.配置AC设备 安装和配置Radius服务
如果使用AC模拟器进行模拟测试则可忽略这步
如果使用页面展示、本地接入用户认证方式 不用配置radius
5.运行 bin/ 快捷方式
6.浏览器服务器IP
7.如果使用AC模拟器测试用户名密码随意 如果真实环境(不用我废话了)
-------------------------------------------------------------------------------------------
Linux环境: 安装jdk1.7 mysql tomcat7 将解压目录下的webapps目录替换
对接配置说明:
超时设置 3-5秒
日志记录 是否输出详细日志到文件
验证码设置 是否开启用户登陆的验证码
用户心跳 是否进行用户离线检测
超时重复次数 一次检查周期内 用户在线检测超时几次算已经下线
计费检测周期 间隔多长时间检测一次用户是否在线,余额是否够
认证方式 页面展示,本地接入用户,外接radius
自助注册开关 是否允许自助注册接入用户,默认每个新用户给10分钟的时长
设备账号 对应设备的local-user用户账号密码,在本地接入用户和页面展示 认证方式时必须配置,而且设备用默认domain
设备密码 对应设备的local-user用户账号密码,在本地接入用户和页面展示 认证方式时必须配置,而且设备用默认domain
-------------------------------------------------------------------------------------------
本地用户认证模式则 下面交换机不用设置[SWITCH] domain 设备账号密码就是交换机的账号密码
-------------------------------------------------------------------------------------------
以华为S5700交换机为例,配置信息详细说明:
交换机配置如下配置步骤
步骤 1
创建 VLAN 并配置接口允许通过的 VLAN,保证网络通畅。
# 创建 VLAN10 和 VLAN20。
[SWITCH] vlan batch 10 20
# 配置交换机连接上行网络的接口 E0/0/1 为 Access 类型接口,并将 GE0/0/1 加入
VLAN20。
[SWITCH] interface Ethernet0/0/1
[SWITCH-Ethernet0/0/2] port link-type access
[SWITCH-Ethernet0/0/2] port default vlan 20
[SWITCH-Ethernet0/0/2] quit
# 配置交换机连接 RADIUS 和 portalServer 的接口 E0/0/2 为Access 类型接口,并
将 GE0/0/2 加入 VLAN20。
[SWITCH] interface Ethernet0/0/2
[SWITCH-Ethernet0/0/2] port link-type access
[SWITCH-Ethernet0/0/2] port default vlan 20
[SWITCH-Ethernet0/0/2] quit
# 创建 VLANIF10 和 VLANIF20,并配置VLANIF 的 IP 地址,以使用户终端、Switch、
企业内网资源之间能够建立起路由。此处假设 VLANIF10 的 IP 地址为192.168.10.20/24;
VLANIF20 的 IP 地址为 192.168.20.29/24。
[SWITCH] interface vlanif 10
[SWITCH-Vlanif10] ip address 192.168.10.20 24 //10.1
[SWITCH] interface vlanif 20
[SWITCH-Vlanif20] ip address 192.168.0.1 24 //0.1
[SWITCH-Vlanif20] quit
步骤 2
创建并配置 RADIUS 服务器模板、AAA 方案以及认证域。
# 创建并配置 RADIUS 服务器模板“rd1”。
[SWITCH] radius-server template rd1
[SWITCH-radius-rd1] radius-server authentication 192.168.0.2 1812
[SWITCH-radius-rd1] radius-server accounting 192.168.0.2 1813
[SWITCH-radius-rd1] radius-server shared-key simple leeson
[SWITCH-radius-rd1] radius-server retransmit 2
[SWITCH-radius-rd1] quit
# 创建 AAA 方案“abc”并配置认证方式为 RADIUS。
[SWITCH] aaa
[SWITCH-aaa] authentication-scheme abc
[SWITCH-aaa-authen-abc] authentication-mode radius
[SWITCH-aaa-authen-abc] quit
[SWITCH-aaa] accounting-scheme acc
[SWITCH-aaa-acc-abc] accounting-mode radius
[SWITCH-aaa-acc-abc] quit
# 创建认证域“”,并在其上绑定AAA 方案“abc”与RADIUS 服务器模板“rd1”。
[SWITCH-aaa] domain
[SWITCH-aaa-domain-isp1] authentication-scheme abc
[SWITCH-aaa-domain-isp1] accounting-scheme acc
[SWITCH-aaa-domain-isp1] radius-server rd1
[SWITCH-aaa-domain-isp1] quit
[SWITCH-aaa] quit
# 配置全局默认域为“”。用户进行接入认证时,以格式“user@”输
入用户名即可在 域下进行 aaa 认证。如果用户名中不携带域名或携带的域名
不存在,用户将会在默认域中进行认证。
[SWITCH] domain
步骤 3
配置外部 Portal 认证
# 创建并配置名称为“abc”的 Portal 服务器模板。
[SWITCH] web-auth-server abc
[SWITCH -web-auth-server-abc] server-ip 192.168.0.2
[SWITCH -web-auth-server-abc] port 50100
[SWITCH -web-auth-server-abc] shared-key simple leeson
[SWITCH -web-auth-server-abc] url 192.168.0.2
[SWITCH -web-auth-server-abc] quit
# 使能 Portal 认证功能。
[SWITCH] interface vlanif 10
[SWITCH -Vlanif10] web-auth-server abc direct
[SWITCH -Vlanif10] quit
步骤 4
查看配置的 Portal 服务器的参数信息。
# 执行命令 display web-auth-server configuration 查看 Portal 服务器相关的
配置信息。
Listening port : 2000
Portal : version 1, version 2
Include reply message : enabled
-----------------------------------------------------------------------
- Web-auth-server Name : abc
IP-address : 192.168.20.30
Shared-key : %$%$]$c{$)Bp!XFdN>G2DBG(T#wn%$%$
Port / PortFlag : 50100 / NO
URL : 192.168.0.2
Bounded Vlanif : 10
-----------------------------------------------------------------------
- 1 Web authentication server(s) in total
步骤 5
在交换机上添加默认路由:ip route-static 0.0.0.0 0.0.0.0 192.168.0.1
其中 192.168.0.1为交换机上行端口的网关地址
步骤 6
配置 portal 白名单
portal free-rule 0 destination ip 192.168.0.1 mask 255.255.255.255
portal free-rule 1 destination ip 192.168.0.2 mask 255.255.255.255
portal free-rule 2 destination ip mask 255.255.255.255
其中的 为用户认证之后上网所需的 DNS 地址,实际以真实网络环境中的
DNS为准
//排除网关 PORTAL服务器 Radius服务器 DNS
可选配置:
接口视图下(vlan-if,ge):dhcp select relay
# 使能接口VLANIF100的DHCP Relay功能。
[HUAWEI] dhcp enable
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] dhcp select relay
#Portal用户下线探测
portal timer offline-detect命令用来配置Portal认证用户下线探测周期。
undo portal timer offline-detect命令用来恢复下线探测周期的缺省值。
缺省情况下,下线探测周期为300秒。
注意:portal timer offline-detect命令功能仅适用于二层Portal认证方式。
-------------------------------------------------------------------------------------------------------
OpenPortalServer对接 华为S5700配置
[Quidway]dis cur
#
!Software Version V200R001C00SPC300
sysname Quidway
#
vlan batch 10 100
#
web-auth-server version v2
portal free-rule 2 source ip 10.0.0.100 mask 255.255.255.255
portal free-rule 3 destination ip 10.0.0.100 mask 255.255.255.255
portal free-rule 4 destination ip 10.0.0.1 mask 255.255.255.255
portal free-rule 5 source ip 10.0.0.1 mask 255.255.255.255
portal free-rule 6 source ip 192.168.100.1 mask 255.255.255.255
portal free-rule 7 destination ip 192.168.100.1 mask 255.255.255.255
#
domain
#
http server load
#
undo nap slave enable
#
dhcp enable
#
radius-server template leeson
radius-server shared-key simple leeson
radius-server authentication 10.0.0.100 1812
radius-server accounting 10.0.0.100 1813
radius-server retransmit 2
#
web-auth-server leeson
server-ip 10.0.0.100
port 50100
shared-key simple leeson
url 10.0.0.100/OpenPortalServer
source-ip 10.0.0.1
#
aaa
authentication-scheme default
authentication-scheme leeson
authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme leeson
accounting-mode radius
domain default
domain default_admin
domain
authentication-scheme leeson
accounting-scheme leeson
radius-server leeson
local-user admin password cipher %$%$03~N$}rD0X}s=D%#SD-/ybYP%$%$
local-user admin privilege level 15
local-user admin service-type http
local-user leeson password cipher %$%$3.-^M/J1RB:MO{"t&bDyeS%$%$
local-user leeson privilege level 15
#
interface Vlanif1
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
web-auth-server leeson direct
#
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
web-auth-server leeson direct
dhcp select interface
-------------------------------------------------------------------------------------------
H3C-MSR830-10对接OpenPortal配置
portal server cbqt_wifi_pts ip 192.168.1.250 key cipher
$c$3$WcdcTvygU/tgJgwXYIR72l92h8HoFlyWoCFi8RS2Cj1goAg= url
192.168.1.250:8081/portal server-type imc
portal free-rule 0 source ip any destination ip 114.114.114.114 mask 255.255.255.255
portal free-rule 1 source ip any destination ip 192.168.1.254 mask 255.255.255.255
portal free-rule 2 source ip any destination ip 192.168.70.254 mask 255.255.255.255
portal free-rule 3 source ip any destination ip 192.168.1.250 mask 255.255.255.255
portal server cbqt_wifi_pts server-detect method http action permit-all interval 600 retry 5
interface Vlan-interface70
ip address 192.168.70.254 255.255.255.0
dhcp select relay
dhcp relay server-select 1
portal server cbqt_wifi_pts method direct
ip policy-based-route WAN-TAIQIU
radius scheme cbqt_wifi_rs
server-type extended
primary authentication 192.168.1.250
primary accounting 192.168.1.250
key authentication cipher $c$3$Jb32HhDG0KQEFUJK/ie49Sc5ARR1gBavK0rY+MOwlhSU=
key accounting cipher $c$3$nG1DwgslbalnXYZul3aAOdVU8ro2+/cWK4Oi6adZw/Rv5ZM=
user-name-format without-domain
#
domain cbqt_wifi_dm
authentication portal radius-scheme cbqt_wifi_rs
authorization portal radius-scheme cbqt_wifi_rs
accounting portal radius-scheme cbqt_wifi_rs
access-limit disable
state active
idle-cut disable
self-service-url disable
H3C-MSR对接配置
[BEGIN] 2015/8/12 13:13:39
#
version 5.20, Release 2311
#
sysname H3C-MSR
#
ftp server enable
#
l2tp enable
#
firewall enable
#
nat address-group 1
nat aging-time udp 180
#
domain default enable system
#
dar p2p signature-file flash:/p2p_
#
lldp enable
#
qos carl 1 destination-ip-address range 192.169.0.31 to 192.169.0.254 per-address share
d-bandwidth
qos carl 10 source-ip-address range 192.169.0.31 to 192.169.0.254 per-address shared-ba
ndwidth
#
portal server portal ip 192.169.0.20 key cipher $c$3$tmKimwpWYurgJSFeXElUKoFApV9rMZ6xfw
== url 192.169.0.20:8080
portal free-rule 0 source ip any destination ip 218.201.4.3 mask 255.255.255.255
portal free-rule 1 source ip any destination ip 192.169.0.20 mask 255.255.255.255
portal server portal server-detect method http action permit-all interval 60 retry 5
#
ip http port 9000
#
blacklist enable
#
acl number 3000
rule 0 permit ip source 192.169.0.0 0.0.15.255
rule 1 permit ip source 192.169.101.0 0.0.0.255
rule 100 deny ip
acl number 3002 name LAN-Defend
rule 0 deny tcp destination-port eq 135
rule 1 deny udp destination-port eq 135
rule 2 deny tcp destination-port eq 139
rule 3 deny udp destination-port eq netbios-dgm
rule 4 deny udp destination-port eq netbios-ns
rule 5 deny udp destination-port eq netbios-ssn
rule 6 deny tcp destination-port eq 137
rule 7 deny tcp destination-port eq 138
rule 8 deny udp destination-port eq 136
rule 200 permit icmp
rule 300 permit ip source 192.169.0.0 0.0.15.255
rule 301 permit ip source 192.169.101.0 0.0.0.255
rule 302 permit ip source 192.169.99.0 0.0.0.7
rule 303 permit udp destination-port eq bootps
rule 400 deny ip
acl number 3003 name WAN-Defend
rule 0 deny tcp destination-port eq 135
rule 1 deny udp destination-port eq 135
rule 2 deny udp destination-port eq netbios-dgm
rule 3 deny udp destination-port eq netbios-ns
rule 4 deny udp destination-port eq netbios-ssn
rule 5 deny tcp destination-port eq 139
rule 6 deny tcp destination-port eq 137
rule 7 deny tcp destination-port eq 138
rule 8 deny udp destination-port eq 136
rule 300 permit udp source-port eq dns
rule 400 permit ip destination 192.169.0.0 0.0.15.255
rule 401 permit ip destination 192.169.101.0 0.0.0.255
rule 402 permit ip destination 192.169.99.0 0.0.0.7
rule 403 permit tcp destination-port eq 22
rule 404 permit tcp destination-port eq www
rule 405 permit tcp destination-port eq 443
rule 406 permit udp destination-port eq 1701
rule 407 deny ip
acl number 3100
description inside access domain-server
rule 10 deny ip source 192.169.10.0 0.0.0.255
rule 11 deny ip source 192.169.11.0 0.0.0.255
rule 12 deny ip source 192.169.12.0 0.0.0.255
rule 13 deny ip source 192.169.13.0 0.0.0.255
rule 14 deny ip source 192.169.14.0 0.0.0.255
rule 15 deny ip source 192.169.15.0 0.0.0.255
rule 100 permit ip source 192.169.0.0 0.0.15.255 destination 192.169.0.20 0
rule 1000 deny ip
#
#
vlan 1
#
radius scheme radius
primary authentication 192.169.0.20 1645 key cipher $c$3$pBtH9ea/vw5AfpLwHPg20KlJE1fGRK
NHJw==
primary accounting 192.169.0.20 1646 key cipher
$c$3$iZTSbzm+q0xelQbsrxER90iYAQKV6aORPA
==
timer realtime-accounting 3
#
domain portal
authentication portal radius-scheme radius local
authorization portal radius-scheme radius local
accounting portal radius-scheme radius local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain pppoe
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 3 192.169.101.2 192.169.101.254
domain pppoe-server-10
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 10 192.169.10.2 192.169.10.254
domain pppoe-server-11
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 11 192.169.11.2 192.169.11.254
domain pppoe-server-12
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 12 192.169.12.2 192.169.12.254
domain pppoe-server-13
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 13 192.169.13.2 192.169.13.254
domain pppoe-server-14
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 14 192.169.14.2 192.169.14.254
domain pppoe-server-15
accounting lan-access radius-scheme radius
authentication ppp radius-scheme radius local
authorization ppp radius-scheme radius local
accounting ppp radius-scheme radius
access-limit disable
state active
idle-cut enable 10 10240
self-service-url disable
ip pool 15 192.169.15.2 192.169.15.254
domain system
authentication ppp local
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 2 192.169.99.2 192.169.99.10
#
pki entity ssl
common-name ssl
organization-unit xxzx
organization gxgs
locality chongqing
state chongqing
country cn
#
pki domain ssl
ca identifier ssl
certificate request from ra
certificate request entity ssl
crl check disable
#
dhcp server ip-pool 1
network 192.169.0.0 mask 255.255.255.0
gateway-list 192.169.0.1
dns-list 218.201.4.3 218.201.17.2
expired day 5
#
dhcp server ip-pool vlan-10
network 192.169.10.0 mask 255.255.255.0
gateway-list 192.169.10.1
dns-list 218.201.4.3 218.201.21.132
#
dhcp server ip-pool vlan-11
network 192.169.11.0 mask 255.255.255.0
gateway-list 192.169.11.1
dns-list 218.201.4.3 218.201.21.132
#
dhcp server ip-pool vlan-12
network 192.169.12.0 mask 255.255.255.0
gateway-list 192.169.12.1
dns-list 218.201.4.3 218.201.21.132
#
dhcp server ip-pool vlan-13
network 192.169.13.0 mask 255.255.255.0
gateway-list 192.169.13.1
dns-list 218.201.4.3 218.201.21.132
#
dhcp server ip-pool vlan-14
network 192.169.14.0 mask 255.255.255.0
gateway-list 192.169.14.1
dns-list 218.201.4.3 218.201.21.132
#
dhcp server ip-pool vlan-15
network 192.169.15.0 mask 255.255.255.0
gateway-list 192.169.15.1
dns-list 218.201.4.3 218.201.21.132
#
user-group system
group-attribute allow-guest
#
local-user admin
password cipher $c$3$OPmwVHESNbfHNXczEeMcdq2DmRDCR7kmS/E=
authorization-attribute level 3
service-type ssh terminal
service-type ftp
service-type web
local-user dot1x
password cipher $c$3$nWqagHMVZB63q5qHyLqXBdUlHB39vQ2RPnE=
service-type lan-access
local-user h3c
password cipher $c$3$ZHwyfLAqYN93aNiWN5J8OHGVh3EAgA==
service-type ppp
service-type portal
#
ssl server-policy sslvpn
pki-domain ssl
#
cwmp
undo cwmp enable
#
l2tp-group 1
allow l2tp virtual-template 1
tunnel name LNS
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Cellular0/0
async mode protocol
link-protocol ppp
#
interface Ethernet0/0
port link-mode route
pppoe-server bind Virtual-Template 2
#
interface Ethernet0/1
port link-mode route
firewall packet-filter 3003 inbound
nat outbound 3000 address-group 1
ip address
dar enable
qos car inbound carl 1 cir 1600 cbs 100000 ebs 0 green pass red discard
qos car outbound carl 10 cir 400 cbs 25000 ebs 0 green pass red discard
#
interface Ethernet0/2
port link-mode route
speed 100
#
interface Ethernet0/2.10
vlan-type dot1q vid 10
nat outbound 3100
ip address 192.169.10.1 255.255.255.0
#
interface Ethernet0/2.11
vlan-type dot1q vid 11
nat outbound 3100
ip address 192.169.11.1 255.255.255.0
#
interface Ethernet0/2.12
vlan-type dot1q vid 12
nat outbound 3100
ip address 192.169.12.1 255.255.255.0
#
interface Ethernet0/2.13
vlan-type dot1q vid 13
nat outbound 3100
ip address 192.169.13.1 255.255.255.0
#
interface Ethernet0/2.14
vlan-type dot1q vid 14
ip address 192.169.14.1 255.255.255.0
#
interface Ethernet0/2.15
vlan-type dot1q vid 15
nat outbound 3100
ip address 192.169.15.1 255.255.255.0
#
interface Ethernet0/2.20
vlan-type dot1q vid 20
nat outbound 3100
ip address 192.169.20.1 255.255.255.0
portal server portal method direct
#
interface Serial1/0
link-protocol ppp
#
interface Serial1/1
link-protocol ppp
#
interface Virtual-Template1
ppp authentication-mode chap domain system
remote address pool 2
ip address 192.169.99.1 255.255.255.0
#
interface Virtual-Template2
ppp authentication-mode chap domain pppoe
ppp account-statistics enable
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.21.132
remote address pool 3
ip address 192.169.101.1 255.255.255.0
#
interface Virtual-Template10
ppp authentication-mode chap domain pppoe-server-10
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 10
#
interface Virtual-Template11
ppp authentication-mode chap domain pppoe-server-11
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 11
#
interface Virtual-Template12
ppp authentication-mode chap domain pppoe-server-12
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 12
#
interface Virtual-Template13
ppp authentication-mode chap domain pppoe-server-13
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 13
#
interface Virtual-Template14
ppp authentication-mode chap domain pppoe-server-14
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 14
#
interface Virtual-Template15
ppp authentication-mode chap domain pppoe-server-15
ppp ipcp remote-address forced
ppp ipcp dns 218.201.4.3 218.201.17.2
remote address pool 15
#
interface NULL0
#
interface Vlan-interface1
ip address 192.169.0.1 255.255.255.0
undo ip fast-forwarding
nat outbound 3100
firewall packet-filter 3002 inbound
firewall packet-filter 4000 inbound
#
interface Ethernet0/3
port link-mode bridge
#
interface Ethernet0/4
port link-mode bridge
#
dhcp-snooping
#
ssl-vpn server-policy sslvpn
ssl-vpn enable
#
#
info-center loghost 192.169.0.6 facility local6
#
dhcp server forbidden-ip 192.169.10.1 192.169.10.10
dhcp server forbidden-ip 192.169.11.1 192.169.11.10
dhcp server forbidden-ip 192.169.12.1 192.169.12.10
dhcp server forbidden-ip 192.169.13.1 192.169.13.10
dhcp server forbidden-ip 192.169.14.1 192.169.14.10
dhcp server forbidden-ip 192.169.15.1 192.169.15.10
dhcp server forbidden-ip 192.169.0.1 192.169.0.30
dhcp server detect
#
dhcp enable
#
ntp-service unicast-server 202.112.10.60
#
ssh server enable
ssh user admin service-type stelnet authentication-type password
#
arp timer aging 10
#
load xml-configuration
#
load tr069-configuration
#
user-interface tty 12
user-interface aux 0
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
#
return
[END] 2015/8/12 13:16:01