防火墙ssl使用默认证书+radius用户认证+短信网关对接+inode客户端案例

一 组网说明

如上图，防火墙作为出口安全设备，对外配置NAT实现内网用户访问互联网，对内提供ssl服务器拨入，允许外部用户拨入ssl后再访问内网服务器资源，认证用户不在本地，而是在radius认证服务器上面

二 设备配置

2.1 防火墙SSL配置

sysname FWX00

acl advanced 3000 //配置nat acl

rule 0 permit ip

interface GigabitEthernet1/0/4 //防火墙连接互联网接口配置NAT

port link-mode route

ip address X.142.88.98 255.255.255.240

nat outbound 3000

manage https inbound

manage ping inbound

gateway X.142.88.97

interface SSLVPN-AC1 //配置sslvpn接口和地址

description sslvpn

ip address X.153.208.253 255.255.255.0

security-zone name sslvpn //sslvpn接口加入安全域

import interface SSLVPN-AC1

acl advanced 3999 //配置sslvpn拨入后可以访问的地址段

description sslvpn

rule 0 permit ip destination X.153.201.0 0.0.0.255

rule 1 permit ip destination X.153.202.0 0.0.0.255

user-group user-group1 //配置用户组user-group1

authorization-attribute sslvpn-policy-group neiwang

radius scheme sslvpn //配置radius方案

primary authentication X.150.138.1

primary accounting X.150.138.1

accounting-on enable

key authentication simple 123

key accounting simple 123

nas-ip X.153.206.2

domain sslvpn //配置domain调用radius方案

authorization-attribute user-group sslvpn

authentication sslvpn radius-scheme sslvpn

authorization sslvpn radius-scheme sslvpn

accounting sslvpn radius-scheme sslvpn

sslvpn ip address-pool sslvpnpool X.153.208.1 X.153.208.252 //配置sslvpn地址池和接口地址同一网段

sslvpn gateway sslvpngw //配置sslvpn设备映射的公网地址和映射端口

ip address X.142.88.98 port 4433

service enable

sslvpn context sslvpn1 //配置sslvpn实例

gateway sslvpngw

ip-tunnel interface SSLVPN-AC1 //调用接口和地址池，电脑上地址

ip-tunnel address-pool sslvpnpool mask 255.255.255.0

ip-tunnel dns-server primary 114.114.114.114 //sslvpn拨入后获取的dns地址

ip-route-list neiwang //sslvpn拨入后PC下发的路由

include X.153.201.0 255.255.255.0

include X.153.202.0 255.255.255.0

sms-auth imc //配置短信网关指向imc，imc对接了短信网关可以代理到短信网关设备

server-address X.150.138.1 port 28080

policy-group neiwang //调用路由下发与访问业务的acl

filter ip-tunnel acl 3999

ip-tunnel access-route ip-route-list neiwang

service enable //使用sslvpn服务

security-policy ip //配置安全策略

rule 25 name untrst-to-local

action pass

source-zone Untrust

destination-zone Local

destination-ip-host X.142.88.98

service 4433

rule 26 name sslvpn-to-trust

action pass

source-zone sslvpn

destination-zone trust

2.2 IMC配置

1.增加设备

2.填写设备信息

3.配置接入策略，用户组与防火墙设备上用户组要一致

user-group user-group1 //配置用户组user-group1

authorization-attribute sslvpn-policy-group neiwang

4.认证方式为账号密码+动态密码，即短信验证方式

5.配置接入服务，调用接入策略

6.新增用户，注意填写手机号

7.短信网关对接之前已经对接完毕

三 业务测试

3.1 互联网PC下载客户端

1.登录设备页面https://ip:4433

2.下载对应操作系统的客户端

3.2 客户端设置

1.客户端配置

2.填写地址等信息

3.等待短信验证码

4.收到短信云桌面

5.填入验证码

6.连接成功

7.终端PC查看路由表

四 状态查看

4.1 防火墙状态查看

4.1.1 防火墙domain和radius方案查看

<FWX00>display domain

Domain: sslvpn

State: Active

SSL VPN authentication scheme: RADIUS=sslvpn

SSL VPN authorization scheme: RADIUS=sslvpn

SSL VPN accounting scheme: RADIUS=sslvpn

Default authentication scheme: Local

Default authorization scheme: Local

Default accounting scheme: Local

Accounting start failure action: Online

Accounting update failure action: Online

Accounting quota out action: Offline

Service type: HSI

Session time: Exclude idle time

NAS-ID: N/A

DHCPv6-follow-IPv6CP timeout: 60 seconds

Authorization attributes:

Idle cut: Disabled

Session timeout: Disabled

User group: sslvpn

IGMP access limit: 4

MLD access limit: 4

<FWX00>display radius scheme

Total 1 RADIUS schemes

---

RADIUS scheme name: sslvpn

Index: 0

Primary authentication server:

IP : X.150.138.1 Port: 1812

VPN : Not configured

State: Active (duration: 0 weeks, 0 days, 6 hours, 58 minutes, 7 seconds)

Test profile: Not configured

Primary accounting server:

IP : X.150.138.1 Port: 1813

VPN : Not configured

State: Active (duration: 0 weeks, 0 days, 6 hours, 58 minutes, 7 seconds)

Accounting-On function : Enabled

extended function : Disabled

retransmission times : 50

retransmission interval(seconds) : 3

Timeout Interval(seconds) : 3

Retransmission Times : 3

Retransmission Times for Accounting Update : 5

Server Quiet Period(minutes) : 5

Realtime Accounting Interval(seconds) : 720

NAS IP Address : X.153.206.2

VPN : Not configured

User Name Format : with-domain

Data flow unit : Byte

Packet unit : One

Attribute 15 check-mode : Strict

Attribute 25 : Standard

Attribute Remanent-Volume unit : Kilo

RADIUS server version (vendor ID 2011) : 1.0

Attribute 30 MAC format : HH-HH-HH-HH-HH-HH

Attribute 31 MAC format : HH-HH-HH-HH-HH-HH

Attribute 17 carry old password : Disabled

Attribute 182 vendor-ID 25506 VLAN : Disabled

4.1.2 防火墙sslvpn状态查看

<XFWX00>dis sslvpn gateway

Gateway name: sslvpngw

Operation state: Up

IP: X.142.88.98 Port: 4433

Front VPN instance: Not configured

<XFWX00>dis sslvpn gateway brief

Gateway name Admin Operation

sslvpngw Up Up

<XFWX00>dis sslvpn context

Context name: sslvpn1

Operation state: Up

AAA domain: sslvpn

Certificate authentication: Disabled

Password authentication: Enabled

Authentication use: All

SMS auth type: iMC

Urlmasking: Disabled

Code verification: Disabled

Default policy group: Not configured

Associated SSL VPN gateway: sslvpngw

Maximum users allowed: X48575

VPN instance: Not configured

Idle timeout: 30 min

Authentication server-type: aaa

Password changing: Enabled

<XFWX00>dis sslvpn context brief

Context name Admin Operation VPN instance Gateway Domain/VHost

sslvpn1 Up Up - sslvpngw -/-

<XFWX00>dis sslvpn session

Total users: 2

SSL VPN context: sslvpn1

Users: 2

Username Connections Idle time Created User IP

123 1 0/00:05:49 0/00:17:57 223.104.39.189

123 1 0/00:00:04 0/00:00:34 223.104.41.73

<XFWX00>dis sslvpn session verbose

User : 123

Authentication method : Username/password authentication/SMS authentication

Context : sslvpn1

Policy group : neiwang

Idle timeout : 30 min

Created at : 02:18:27 BeiJing Fri X/31/2025

Lastest : 02:30:35 BeiJing Fri X/31/2025

User IPv4 address : 223.104.39.189

Alloced IP : X.153.208.1

Session ID : 2

Endpoint information : Windows

Send rate : 0.00 B/s

Receive rate : 0.00 B/s

Sent bytes : 186.88 KB

Received bytes : 200.24 KB

User : 123

Authentication method : Username/password authentication/SMS authentication

Context : sslvpn1

Policy group : neiwang

Idle timeout : 30 min

Created at : 02:35:50 BeiJing Fri X/31/2025

Lastest : 02:36:20 BeiJing Fri X/31/2025

User IPv4 address : 223.104.41.73

Alloced IP : X.153.208.2

Session ID : 3

Endpoint information : Windows

Send rate : 0.00 B/s

Receive rate : 0.00 B/s

Sent bytes : 19.01 KB

Received bytes : 0.00 B

<XFWX00>dis sslvpn session user sslvpn

<XFWX00>dis sslvpn session context sslvpn1

SSL VPN context: sslvpn1

Users: 2

Username Connections Idle time Created User IP

123 1 0/00:05:49 0/00:17:57 223.104.39.189

123 1 0/00:00:04 0/00:00:34 223.104.41.73

<XFWX00>dis sslvpn session user 123

User : 123

Authentication method : Username/password authentication/SMS authentication

Context : sslvpn1

Policy group : neiwang

Idle timeout : 30 min

Created at : 02:18:27 BeiJing Fri X/31/2025

Lastest : 02:30:35 BeiJing Fri X/31/2025

User IPv4 address : 223.104.39.189

Alloced IP : X.153.208.1

Session ID : 2

Endpoint information : Windows

Send rate : 0.00 B/s

Receive rate : 0.00 B/s

Sent bytes : 186.88 KB

Received bytes : 200.24 KB

User : 123

Authentication method : Username/password authentication/SMS authentication

Context : sslvpn1

Policy group : neiwang

Idle timeout : 30 min

Created at : 02:35:50 BeiJing Fri X/31/2025

Lastest : 02:36:20 BeiJing Fri X/31/2025

User IPv4 address : 223.104.41.73

Alloced IP : X.153.208.2

Session ID : 3

Endpoint information : Windows

Send rate : 0.00 B/s

Receive rate : 0.00 B/s

Sent bytes : 19.01 KB

Received bytes : 0.00 B

<XFWX00>

4.1.3 防火墙sms短信认证状态

<DT-X-B1F-FW1000>dis sslvpn context

Context name: sslvpn1

Operation state: Up

AAA domain: sslvpn

Certificate authentication: Disabled

Password authentication: Enabled

Authentication use: All

SMS auth type: iMC //短信网关认证指向IMC

Urlmasking: Disabled

Code verification: Disabled

Default policy group: Not configured

Associated SSL VPN gateway: sslvpngw

Maximum users allowed: 1048575

VPN instance: Not configured

Idle timeout: 30 min

Authentication server-type: aaa

Password changing: Enabled

<DT-X-B1F-FW1000>dis sslvpn session

Total users: 2

SSL VPN context: sslvpn1

Users: 2

Username Connections Idle time Created User IP

123 1 0/00:05:49 0/00:17:57 223.104.39.189

<DT-X-B1F-FW1000>dis sslvpn session verbose

User : 123

Authentication method : Username/password authentication/SMS authentication //短信网关

Context : sslvpn1

Policy group : neiwang

Idle timeout : 30 min

Created at : 02:18:27 BeiJing Fri 10/31/2025

Lastest : 02:30:35 BeiJing Fri 10/31/2025

User IPv4 address : 223.104.39.189

Alloced IP :X.153.208.1

Session ID : 2

Endpoint information : Windows

Send rate : 0.00 B/s

Receive rate : 0.00 B/s

Sent bytes : 186.88 KB

Received bytes : 200.24 KB

4.2 互联网PC本地路由查看

4.3 IMC用户信息

1.sslvpn在线用户信息

2.sslvpn用户详细信息

3.sslvpn登录信息

4.4 防火墙用户查看