Table of Contents

Related Documents

04-Portal Commands

Title	Size	Download
04-Portal Commands	165.77 KB

Portal configuration commands

display portal acl

Syntax

display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Displays all portal access control lists (ACLs), including dynamic ones and static ones.

dynamic: Displays dynamic portal ACLs, namely, ACLs generated after a user passes portal authentication.

static: Displays static portal ACLs, namely, ACLs generated by related configurations.

interface interface-type interface-number: Displays the ACLs on the specified interface.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display portal acl command to display the ACLs on a specific interface.

Examples

# Display all ACLs on interface GigabitEthernet 2/1/1.

<Sysname> display portal acl all interface GigabitEthernet2/1/1

GigabitEthernet2/1/1 portal ACL rule:

Rule 0

Inbound interface : GigabitEthernet2/1/1

Type : static

Action : permit

Source:

IP : 1.1.1.1

Mask : 255.255.255.255

MAC : 0000-0000-0000

Interface : any

VLAN : 0

Protocol : 0

Destination:

IP : 192.168.0.111

Mask : 255.255.255.255

Rule 1

Inbound interface : GigabitEthernet2/1/1

Type : dynamic

Action : permit

Source:

IP : 3.3.3.0

Mask : 255.255.255.0

MAC : 0000-0000-0000

Interface : any

VLAN : 0

Protocol : 0

Destination:

IP : 192.168.0.111

Mask : 255.255.255.255

Rule 2

Inbound interface : GigabitEthernet2/1/1

Type : dynamic

Action : permit

Source:

IP : 1.1.2.3

Mask : 255.255.255.255

MAC : 0000-0000-0000

Interface : any

VLAN : 0

Protocol : 0

Destination:

IP : 2.2.2.0

Mask : 255.255.255.0

Author ACL:

Number : 3001

Table 1 Output description

Field	Description
Rule	Sequence number of the generated ACL, which is numbered from 0 in ascending order.
Inbound interface	Interface to which portal ACLs are bound.
Type	Type of the portal ACL.
Action	Match action in the portal ACL.
Source	Source information in the portal ACL.
IP	Source IP address in the portal ACL.
Mask	Subnet mask of the source IP address in the portal ACL.
MAC	Source MAC address in the portal ACL.
Interface	Source interface in the portal ACL.
VLAN	Source VLAN in the portal ACL.
Protocol	Protocol type in the portal ACL.
Destination	Destination information in the portal ACL
IP	Destination IP address in the portal ACL.
Mask	Subnet mask of the destination IP address in the portal ACL.
Author ACL	Authorization ACL of portal ACL. It is displayed only when the Type field has a value of dynamic.
Number	Authorization ACL number assigned by the server. None indicates that the server did not assign any ACL.

display portal connection statistics

Syntax

display portal connection statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display portal connection statistics command to display portal connection statistics on a specific interface or all interfaces.

Examples

# Display portal connection statistics on interface GigabitEthernet 2/1/1.

<Sysname> display portal connection statistics interface GigabitEthernet2/1/1

---------------Interface: GigabitEthernet2/1/1-----------------------

User state statistics:

State-Name User-Num

VOID 0

DISCOVERED 0

WAIT_AUTHEN_ACK 0

WAIT_AUTHOR_ACK 0

WAIT_LOGIN_ACK 0

WAIT_ACL_ACK 0

WAIT_NEW_IP 0

WAIT_USERIPCHANGE_ACK 0

ONLINE 0

WAIT_LOGOUT_ACK 0

WAIT_LEAVING_ACK 0

Message statistics:

Msg-Name Total Err Discard

MSG_AUTHEN_ACK 0 0 0

MSG_AUTHOR_ACK 0 0 0

MSG_LOGIN_ACK 0 0 0

MSG_LOGOUT_ACK 0 0 0

MSG_LEAVING_ACK 0 0 0

MSG_CUT_REQ 0 0 0

MSG_AUTH_REQ 0 0 0

MSG_LOGIN_REQ 0 0 0

MSG_LOGOUT_REQ 0 0 0

MSG_LEAVING_REQ 0 0 0

MSG_ARPPKT 0 0 0

MSG_PORT_REMOVE 0 0 0

MSG_VLAN_REMOVE 0 0 0

MSG_IF_REMOVE 1 0 0

MSG_IF_SHUT 0 0 0

MSG_IF_DISPORTAL 0 0 0

MSG_IF_UP 0 0 0

MSG_ACL_RESULT 0 0 0

MSG_CUT_L3IF 0 0 0

MSG_IP_REMOVE 0 0 0

MSG_ALL_REMOVE 0 0 0

MSG_IFIPADDR_CHANGE 0 0 0

MSG_SOCKET_CHANGE 2 0 0

MSG_VLAN_BATCH 0 0 0

MSG_ACL_DELETE 0 0 0

MSG_ACL_UPDATE 0 0 0

Table 2 Output description

Field	Description
User state statistics	Statistics on portal users
State-Name	Name of a user state
User-Num	Number of users in a specific state
VOID	Number of users in void state
DISCOVERED	Number of users in discovered state
WAIT_AUTHEN_ACK	Number of users in wait_authen_ack state
WAIT_AUTHOR_ACK	Number of users in wait_author_ack state
WAIT_LOGIN_ACK	Number of users in wait_login_ack state
WAIT_ACL_ACK	Number of users in wait_acl_ack state
WAIT_NEW_IP	Number of users in wait_new_ip state
WAIT_USERIPCHANGE_ACK	Number of users wait_useripchange_ack state
ONLINE	Number of users in online state
WAIT_LOGOUT_ACK	Number of users in wait_logout_ack state
WAIT_LEAVING_ACK	Number of users in wait_leaving_ack state
Message statistics	Statistics on messages
Msg-Name	Message type
Total	Total number of messages of a specific type
Err	Number of erroneous messages of a specific type
Discard	Number of discarded messages of a specific type
MSG_AUTHEN_ACK	Authentication acknowledgment message
MSG_AUTHOR_ACK	Authorization acknowledgment message
MSG_LOGIN_ACK	Accounting acknowledgment message
MSG_LOGOUT_ACK	Accounting-stop acknowledgment message
MSG_LEAVING_ACK	Leaving acknowledgment message
MSG_CUT_REQ	Cut request message
MSG_AUTH_REQ	Authentication request message
MSG_LOGIN_REQ	Accounting request message
MSG_LOGOUT_REQ	Accounting-stop request message
MSG_LEAVING_REQ	Leaving request message
MSG_ARPPKT	ARP message
MSG_PORT_REMOVE	Users-of-a-Layer-2-port-removed message
MSG_VLAN_REMOVE	VLAN-user-removed message
MSG_IF_REMOVE	Message indicating the users on a Layer 3 interface were removed because the Layer 3 interface was removed.
MSG_IF_SHUT	Layer 3 interface shutdown message
MSG_IF_DISPORTAL	Portal-disabled-on-interface message
MSG_IF_UP	Layer 3-interface-came-up message
MSG_ACL_RESULT	ACL deployment failure message
MSG_CUT_L3IF	Message indicating the users on a Layer 3 interface were removed because they were logged out.
MSG_IP_REMOVE	User-with-an-IP-removed message
MSG_ALL_REMOVE	All-users-removed message
MSG_IFIPADDR_CHANGE	Interface IP address change message
MSG_SOCKET_CHANGE	Socket change message
MSG_VLAN_BATCH	VLAN batch assignment message
MSG_NOTIFY	Notification message
MSG_SETPOLICY	Set policy message for assigning security ACL
MSG_SETPOLICY_RESULT	Set policy response message

display portal free-rule

Syntax

display portal free-rule [ rule-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

rule-number: Number of a portal-free rule. The value ranges from 0 to 63.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display portal free-rule command to display information about a specific portal-free rule or all portal-free rules.

Related commands: portal free-rule.

Examples

# Display information about portal-free rule 0.

<Sysname> display portal free-rule 0

Rule-Number 0:

Source:

IP : 1.1.2.3

Mask : 255.255.255.255

MAC : 0000-0000-0000

Interface : any

Vlan : 0

Destination:

IP : 2.2.2.0

Mask : 255.255.255.0

Table 3 Output description

Field	Description
Rule-Number	Number of the portal-free rule
Source	Source information in the portal-free rule
IP	Source IP address in the portal-free rule
Mask	Subnet mask of the source IP address in the portal-free rule
MAC	Source MAC address in the portal-free rule
Interface	Source interface in the portal-free rule
Vlan	Source VLAN in the portal-free rule
Destination	Destination information in the portal-free rule
IP	Destination IP address in the portal-free rule
Mask	Subnet mask of the destination IP address in the portal-free rule

display portal interface

Syntax

display portal interface interface-type interface-number [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display portal interface command to display the portal configuration of an interface.

Examples

# Display the portal configuration of interface GigabitEthernet 2/1/1.

<Sysname> display portal interface GigabitEthernet2/1/1

Interface portal configuration:

GigabitEthernet2/1/1: Portal running

Portal server: newpt

Authentication type: Layer3

Authentication domain: my-domain

Authentication network:

address : 1.1.1.1 mask : 255.255.255.255

address : 3.3.3.0 mask : 255.255.255.0

Table 4 Output description

Field	Description
Interface portal configuration	Portal configuration on the interface
GigabitEthernet 2/1/1	Status of the portal authentication on the interface: · disabled—Portal authentication is disabled. · enabled—Portal authentication is enabled but is not functioning. · running—Portal authentication is functioning.
Portal server	Portal server referenced by the interface
Authentication type	Authentication mode enabled on the interface
Authentication domain	Mandatory authentication domain of the interface
Authentication network	Information of the portal authentication source subnet and destination subnet
address	IP address of the portal authentication subnet
mask	Subnet mask of the IP address of the portal authentication subnet

display portal server

Syntax

display portal server [ server-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display portal server command to display information about a specific portal server or all portal servers.

Related commands: portal server.

Examples

# Display information about portal server newpt.

<Sysname> display portal server newpt

Portal server:

1) newpt:

IP : 192.168.0.111

VPN instance : vpn1

Port : 50100

Key : portal

URL : http://192.168.0.111

Status :Up

Table 5 Output description

Field	Description
1)	Number of the portal server.
newpt	Name of the portal server.
VPN instance	MPLS L3VPN to which the portal server belongs.
IP	IP address of the portal server.
Port	Listening port on the portal server.
Key	Shared key for exchanges between the router and portal server. Not configured will be displayed if no key is configured.
URL	Address the packets are to be redirected to. Not configured will be displayed if no address is configured.
Status	Current status of the portal server, which can be one of the following values: · N/A—The server is not referenced on any interface, or the server detection function is not enabled. The reachability of the portal server is unknown. · Up—The portal server is referenced on an interface and the portal server detection function is enabled, and currently the portal server is reachable. · Down—The portal server is referenced on an interface and the portal server detection function is enabled, but currently the portal server is unreachable.

display portal server statistics

Syntax

display portal server statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and name.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display portal server statistics command to display portal server statistics on a specific interface or all interfaces.

With the all keyword specified, the command displays portal server statistics by interface and therefore statistics about a portal server referenced by more than one interface may be displayed repeatedly.

Examples

# Display portal server statistics on GigabitEthernet 2/1/1.

<Sysname> display portal server statistics interface GigabitEthernet 2/1/1

---------------Interface: GigabitEthernet2/1/1----------------------

Server name: newpt

Invalid packets: 0

Pkt-Name Total Discard Checkerr

REQ_CHALLENGE 0 0 0

ACK_CHALLENGE 0 0 0

REQ_AUTH 0 0 0

ACK_AUTH 0 0 0

REQ_LOGOUT 0 0 0

ACK_LOGOUT 0 0 0

AFF_ACK_AUTH 0 0 0

NTF_LOGOUT 0 0 0

REQ_INFO 0 0 0

ACK_INFO 0 0 0

NTF_USERDISCOVER 0 0 0

NTF_USERIPCHANGE 0 0 0

AFF_NTF_USERIPCHANGE 0 0 0

ACK_NTF_LOGOUT 0 0 0

NTF_USERSYNC 2 0 0

ACK_NTF_USERSYNC 0 0 0

Table 6 Output description

Field	Description
Interface	Interface referencing the portal server
Server name	Name of the portal server
Invalid packets	Number of invalid packets
Pkt-Name	Packet type
Total	Total number of packets
Discard	Number of discarded packets
Checkerr	Number of erroneous packets
REQ_CHALLENGE	Challenge request message the portal server sends to the router
ACK_CHALLENGE	Challenge acknowledgment message the router sends to the portal server
REQ_AUTH	Authentication request message the portal server sends to the router
ACK_AUTH	Authentication acknowledgment message the router sends to the portal server
REQ_LOGOUT	Logout request message the portal server sends to the router
ACK_LOGOUT	Logout acknowledgment message the router sends to the portal server
AFF_ACK_AUTH	Affirmation message the portal server sends to the router after receiving an authentication acknowledgement message
NTF_LOGOUT	Forced logout notification message the router sends to the portal server
REQ_INFO	Information request message
ACK_INFO	Information acknowledgment message
NTF_USERDISCOVER	User discovery notification message the portal server sends to the router
NTF_USERIPCHANGE	User IP change notification message the router sends to the portal server
AFF_NTF_USERIPCHANGE	User IP change success notification message the portal server sends to the router
ACK_NTF_LOGOUT	Forced logout acknowledgment message from the portal server
NTF_USERSYNC	User synchronization packet the router received from the portal server
ACK_NTF_USERSYNC	User synchronization acknowledgment packet the router sent to the portal server

display portal tcp-cheat statistics

Syntax

display portal tcp-cheat statistics [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display portal tcp-cheat statistics command to display TCP spoofing statistics.

Examples

# Display TCP spoofing statistics.

<Sysname> display portal tcp-cheat statistics

TCP Cheat Statistic:

Total Opens: 0

Reset Connections: 0

Current Opens: 0

Packets Received: 0

Packets Sent: 0

Packets Retransmitted: 0

Packets Dropped: 0

HTTP Packets Sent: 0

Connection State:

SYN_RECVD: 0

ESTABLISHED: 0

CLOSE_WAIT: 0

LAST_ACK: 0

FIN_WAIT_1: 0

FIN_WAIT_2: 0

CLOSING: 0

Table 7 Output description

Field	Description
TCP Cheat Statistic	TCP spoofing statistics
Total Opens	Total number of opened connections
Resets Connections	Number of connections reset through RST packets
Current Opens	Number of connections currently being setting up
Packets Received	Number of received packets
Packets Sent	Number of sent packets
Packets Retransmitted	Number of retransmitted packets
Packets Dropped	Number of dropped packets
HTTP Packets Sent	Number of HTTP packets sent
Connection State	Statistics of connections in various state
SYN_RECVD:	Indicates that it has received the SYN packet from the peer
ESTABLISHED	Number of connections in ESTABLISHED state
CLOSE_WAIT	Number of connections in CLOSE_WAIT state
LAST_ACK	Number of connections in LAST-ACK state
FIN_WAIT_1	Number of connections in FIN_WAIT_1 state
FIN_WAIT_2	Number of connections in FIN_WAIT_2 state
CLOSING	Number of connections in CLOSING state

display portal user

Syntax

display portal user { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and name.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display portal user command to display information about portal users on a specific interface or all interfaces.

Examples

# Display information about portal users on all interfaces.

<Sysname> display portal user all

Index:71

State:ONLINE

SubState:NONE

ACL:NONE

VPN instance:NONE

MAC IP Vlan Interface

---------------------------------------------------------------------

0000-0000-0000 2.2.2.2 0 GigabitEthernet3/1/1

Index:3

State:ONLINE

SubState: NONE

ACL:3000

VPN instance: vpn1

MAC IP Vlan Interface

---------------------------------------------------------------------

000d-88f8-0eac 2.2.2.3 0 GigabitEthernet3/1/1

Total 2 user(s) matched, 2 listed.

Table 8 Output description

Field	Description
Index	Index of the portal user
State	Current status of the portal user
SubState	Current sub-status of the portal user
ACL	Authorization ACL of the portal user
VPN instance	MPLS L3VPN to which the portal user belongs
MAC	MAC address of the portal user
IP	IP address of the portal user
Vlan	VLAN to which the portal user belongs
Interface	Interface to which the portal user is attached
Total 1 user(s) matched, 1 listed	Total number of portal users

portal auth-network

Syntax

portal auth-network network-address { mask-length | mask }

undo portal auth-network { network-address | all }

View

Interface view

Default level

2: System level

Parameters

network-address: IP address of the authentication source subnet.

mask-length: Length of the subnet mask, in the range of 0 to 32.

mask: Subnet mask, in dotted decimal notation.

all: Specifies all authentication source subnets.

Description

Use the portal auth-network command to configure a portal authentication source subnet on an interface. Then, only HTTP packets from the specified subnet can trigger portal authentication on the interface. If an unauthenticated user is not on any authentication source subnet, the access device discards all the user’s packets that do not match any portal-free rule.

Use the undo portal auth-network command to remove a specific portal authentication source subnet or all portal authentication subnets.

By default, the portal authentication source subnet is 0.0.0.0/0, meaning that users in all subnets must pass portal authentication.

This command is only applicable to cross-subnet authentication (layer3). The portal authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP address of the interface connecting the users.

You can configure multiple authentication source subnets by executing the portal auth-network command repeatedly. The router supports up to 4096 authentication source subnets.

If both an authentication source subnet and destination subnet are configured on an interface, only the authentication destination subnet takes effect.

Examples

# Configure a portal authentication source subnet of 10.10.10.0/24 on GigabitEthernet 3/1/1, so that only users from subnet 10.10.10.0/24 trigger portal authentication. Users from other subnets are denied access.

<Sysname> system-view

[Sysname] interface Gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal auth-network 10.10.10.0 24

portal delete-user

Syntax

portal delete-user { ip-address | all | interface interface-type interface-number }

View

System view

Default level

2: System level

Parameters

ip-address: IP address of a user.

all: Logs out all users.

interface interface-type interface-number: Logs out all users on the specified interface.

Description

Use the portal delete-user command to log out users.

Related commands: display portal user.

Examples

# Log out the user whose IP address is 1.1.1.1.

<Sysname> system-view

[Sysname] portal delete-user 1.1.1.1

portal domain

Syntax

portal domain domain-name

undo portal domain

View

Interface view

Default level

2: System level

Parameters

domain-name: ISP domain name, a case-insensitive string of 1 to 24 characters. The domain specified by this argument must already exist.

Description

Use the portal domain command to specify an authentication domain for an interface. Then, the router will use the authentication domain for authentication, authorization and accounting (AAA) of the portal users on the interface.

Use the undo portal domain command to restore the default.

By default, no authentication domain is specified for an interface.

Related commands: display portal interface.

Examples

# Configure the authentication domain to be used for portal users on GigabitEthernet 3/1/1 as my-domain.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal domain my-domain

portal free-rule

Syntax

portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | netmask } | any } } | source { any | [ interface interface-type interface-number | ip { ip-address mask { mask-length | netmask } | any } | vlan vlan-id ] * } } *

undo portal free-rule { rule-number | all }

View

System view

Default level

2: System level

Parameters

rule-number: Number for the portal-free rule. The value ranges from 0 to 63.

any: Imposes no limitation on the previous keyword.

ip ip-address: Specifies an IP address.

mask { mask-length | netmask }: Specifies the mask of the IP address, which can be in dotted decimal notation or an integer in the range of 0 to 32.

interface interface-type interface-number: Specifies a source interface for the portal free rule.

vlan vlan-id: Specifies a source VLAN ID. The value ranges from 1 to 4094.

all: Specifies all portal-free rules.

Description

Use the portal free-rule command to configure a portal-free rule and specify the source filtering condition and/or destination filtering condition.

Use the undo portal free-rule command to remove a specific portal-free rule or all portal-free rules.

If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. Otherwise, the rule does not take effect.

You cannot configure a portal-free rule to have the same filtering criteria as that of an existing one. Otherwise, the system prompts that the rule already exists.

No matter whether portal authentication is enabled on an interface, you can only add or remove a portal-free rule, rather than modifying it.

Related commands: display portal free-rule.

Examples

# Configure a portal-free rule, allowing any packet whose source IP address is 10.10.10.1/24 and source interface is GigabitEthernet 3/2/1 to bypass portal authentication.

<Sysname> system-view

[Sysname] portal free-rule 15 source ip 10.10.10.1 mask 24 interface Gigabitethernet 3/2/1 destination ip any

portal max-user

Syntax

portal max-user max-number

undo portal max-user

View

System view

Default level

2: System level

Parameters

max-number: Maximum number of online portal users allowed in the system. Its value range depends on the system working mode:

· In SPE mode, the value range is from 1 to 4096.

· In SPC mode, the value range is from 1 to 7680.

· In hybrid mode, if the ACL mode is 1 or 2, the value range is from 1 to 7680; if the ACL mode is 3 or 4, the value range is from 1 to 4096.

For information about the system working modes, see Fundamentals Configuration Guide.

Description

Use the portal max-user command to set the maximum number of online portal users allowed in the system.

Use the undo portal max-user command to restore the default.

By default, the maximum number of online portal users depends on the system working mode:

· SPE mode—4096

· SPC mode—7680

· Hybrid mode—7680 when the ACL mode is 1 or 2, and 4096 when the ACL mode is 3 or 4.

If the maximum number of portal users specified in the command is less than that of the current online portal users, the command can be executed successfully and will not impact the online portal users, but the system will not allow new portal users to log in until the number drops down below the limit.

Examples

# Set the maximum number of portal users allowed in the system to 100.

<Sysname> system-view

[Sysname] portal max-user 100

portal nas-id-profile

Syntax

portal nas-id-profile profile-name

undo portal nas-id-profile

View

Interface view

Default level

2: System level

Parameters

profile-name: Name of the profile that defines the binding relationship between VLANs and NAS IDs, a case-insensitive string of 1 to 16 characters. The profile can be configured by using the aaa nas-id profile command. For more information, see the chapter “AAA configuration.”

Description

Use the portal nas-id-profile command to specify a NAS ID profile for an interface.

Use the undo portal nas-id-profile command to cancel the configuration.

By default, an interface is not specified with any NAS ID profile.

If an interface is specified with a NAS ID profile, the interface prefers to use the binding defined in the profile. If no NAS ID profile is specified for an interface or no matching binding is found in the specified profile, the device name will be used as the interface’s NAS ID.

Examples

# Specify NAS ID profile aaa for GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal nas-id-profile aaa

portal nas-ip

Syntax

portal nas-ip ip-address

undo portal nas-ip

View

Interface view

Default level

2: System level

Parameters

ip-address: Source IP address for portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

Description

Use the portal nas-ip command to configure the source IP address for the interface to use for portal packets to be sent.

Use the undo portal nas-ip command to restore the default.

By default, no source IP address is specified, and the IP address of the user access interface is used as the source IP address of the portal packets.

Examples

# Configure the source IP address for portal packets to be sent on GigabitEthernet 3/1/1 as 2.2.2.2.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal nas-ip 2.2.2.2

portal nas-port-type

Syntax

portal nas-port-type { ethernet | wireless }

undo portal nas-port-type

View

Interface view

Default level

2: System level

Parameters

ethernet: Specifies the access port type as Ethernet, which corresponds to code 15.

wireless: Specifies the access port type as IEEE 802.11 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users, ensuring that the NAS-Port-Type value delivered by the router to the RADIUS server is wireless.

Description

Use the portal nas-port-type command to specify the access port type (indicated by the NAS-Port-Type value) on the current interface. The specified NAS-Port-Type value will be carried in the RADIUS requests sent from the router to the RADIUS server.

Use the undo portal nas-port-type command to restore the default.

By default, the access port type of an interface is not specified, and the NAS-Port-Type value carried in RADIUS requests is the user access port type obtained by the router.

Examples

# Specify the NAS-Port-Type value of GigabitEthernet 3/1/1 as IEEE 802.11 standard wireless interface.

<Sysname> system-view

[Sysname] interface Gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal nas-port-type wireless

portal server

Syntax

portal server server-name ip ip-address [ key key-string | port port-id | url url-string | vpn-instance vpn-instance-name ] *

undo portal server server-name [ key | port | url | vpn-instance ]

View

System view

Default level

2: System level

Parameters

server-name: Name of the portal server, a case-sensitive string of 1 to 32 characters.

ip-address: IP address of the portal server.

key-string: Shared key for communication with the portal server, a case-sensitive string of 1 to 16 characters. Portal packets exchanged between the access device and the portal server carry an authenticator, which is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

port-id: Destination port number used when the router sends a message to the portal server unsolicitedly, in the range of 1 to 65534. The default is 50100.

url-string: Uniform resource locator (URL) to which web packets are to be redirected. The default URL is in the format http://ip-address, where ip-address is the IP address of the portal server. You can also specify the domain name of the portal server, in which case you need to use the portal free-rule command to configure the IP address of the DNS server as a portal authentication-free destination IP address.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the portal server belongs. vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the portal server is on the public network, do not specify this option.

Description

Use the portal server command to specify a portal server and the portal server parameters for Layer 3 portal authentication.

Use the undo portal server command to remove a portal server, restore the default destination port number or URL, or delete the shared key.

By default, no portal server is specified.

Note the following:

· If the specified portal server exists and there is no user on the interfaces referencing the portal server, the undo portal server server-name command removes the specified portal server. With keyword port or url also provided, the command restores the destination port number or URL address to the default.

· The configured portal server and its parameters can be removed or modified only when the portal server is not referenced by an interface. To remove or modify the settings of a portal server that has been referenced by an interface, you must first disable portal configuration on the interface by using the undo portal command.

Related commands: display portal server.

CAUTION:

· If the portal feature is enabled on an interface, you cannot remove the portal server that the interface references. If there are users on this interface, you cannot modify the parameters of the portal server.

· You must disable portal authentication on an interface before removing the portal server applied to the interface.

Examples

# Configure the portal server name as pts, specify the server’s IP address 192.168.0.111, shared key as portal, and the redirection URL as http://192.168.0.111/portal.

<Sysname> system-view

[Sysname] portal server pts ip 192.168.0.111 key portal url http://192.168.0.111/portal

portal server method

Syntax

portal server server-name method { layer3 | redhcp }

undo portal

View

Interface view

Default level

2: System level

Parameters

server-name: Name of the portal server, a case-sensitive string of 1 to 32 characters.

method: Specifies the authentication mode to be used.

· layer3: Cross-subnet authentication.

· redhcp: Re-DHCP authentication.

Description

Use the portal server command to enable portal authentication on an interface, and specify the portal server to be referenced and the authentication mode.

Use the undo portal command to disable portal authentication on an interface.

By default, portal authentication is disabled on an interface.

The portal server to be referenced must exist.

Related commands: display portal server.

Examples

# Enable portal authentication on interface GigabitEthernet 3/2/1, setting the portal server to pts and the authentication mode to layer3.

<Sysname> system-view

[Sysname] interface Gigabitethernet 3/2/1

[Sysname-GigabitEthernet3/2/1] portal server pts method layer3

portal server server-detect

Syntax

portal server server-name server-detect method { http | portal-heartbeat } * action { log | permit-all | trap } * [ interval interval ] [ retry retries ]

undo portal server server-name server-detect

View

System view

Default level

2: System level

Parameters

server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.

server-detect method { http | portal-heartbeat }: Specifies the portal server detection method. Two detection methods are available:

· http: Probes the portal server by establishing HTTP connections. In this method, the access device periodically sends TCP connection requests to the HTTP service port of the portal servers enabled on its interfaces. If the TCP connection with a portal server can be established, the access device considers that the HTTP service of the portal server is open and the portal server is reachable, that is, the detection succeeds. If the TCP connection cannot be established, the access device considers that the detection fails, that is, the portal server is unreachable. If a portal server does not support the portal server heartbeat function, you can configure the access device to use the HTTP probe method to detect the reachability of the portal server.

· portal-heartbeat: Probes the portal server by checking portal heartbeat packets. Portal servers periodically send portal heartbeat packets to the access devices. If the access device receives a portal heartbeat packet from a portal server within the specified interval, the access device considers that the probe succeeds and the portal server is reachable; otherwise, it considers that the probe fails and the portal server is unreachable. This method is effective to only portal servers that support the portal heartbeat function. Currently, only the portal server of iMC supports this function. To implement detection with this method, you also need to configure the portal server heartbeat function on the iMC portal server and make sure that the server heartbeat interval configured on the portal server is shorter than or equal to the probe interval configured on the access device.

action { log | permit-all | trap }: Specifies the actions to be taken when the status of a portal server changes. Three actions are available:

· log: Specifies the action as sending a log message. When the status (reachable/unreachable) of a portal server changes, the access device sends a log message. The log message contains the portal server name and the current state and original state of the portal server.

· permit-all: Specifies the action as disabling portal authentication, that is, enabling portal escape. When the access device detects that a portal server is unreachable, it disables portal authentication on the interface referencing the portal server, that is, it allows all portal users on this interface to access network resources. Then, if the access device receives the portal server heartbeat packets or authentication packets (such as login requests and logout requests), it re-enables the portal authentication function.

· trap: Specifies the action as sending a trap message. When the status (reachable/unreachable) of a portal server changes, the access device sends a trap message to the network management server (NMS). Trap message contains the portal server name and the current state of the portal server.

interval interval: Interval at which probe attempts are made. The interval argument ranges from 20 to 600 and defaults to 20, in seconds.

retry retries: Maximum number of probe attempts. The retries argument ranges from 1 to 5 and defaults to 3. If the number of consecutive, failed probes reaches this value, the access device considers that the portal server is unreachable.

Description

Use the portal server server-detect command to configure portal server detection, including the detection method, action, probe interval, and maximum number of probe attempts. With this function configured, the router (access device) checks the status of the specified server periodically and takes the specified actions when the server status changes.

Use the undo portal server server-detect command to cancel the detection of the specified portal server.

By default, the portal server detection function is not configured.

You can specify one or more detection methods and actions to be taken.

If both detection methods are specified, a portal server is considered unreachable as long as one detection method fails, and an unreachable portal server is considered recovered only when both detection methods succeed.

If multiple actions are specified, the system will execute all the specified actions when the status of a portal server changes.

Deleting a portal server on the router will disable the detection function for the portal server.

If you configure the detection function for a portal server for multiple times, the last configuration will take effect. If you do not specify an optional parameter, the default setting of the parameter will be used.

The portal server detection function takes effect only when the portal server is referenced and enabled on an interface.

Authentication-related packets from a portal server, such as logon requests and logoff requests, have the same effect as the portal heartbeat packets for the portal server detection function.

Related command: display portal server.

Examples

# Configure the router to detect portal server pts:

· Specifying both the HTTP probe and portal heartbeat probe methods

· Setting the probe interval to 600 seconds

· Specifying the router to send a server unreachable trap message, send a log message and disable portal authentication to permit unauthenticated portal users, if two consecutive probes fail.

<Sysname> system-view

[Sysname] portal server pts server-detect method http portal-heartbeat action log permit-all trap interval 600 retry 2

portal server user-sync

Syntax

portal server server-name user-sync [ interval interval ] [ retry retries ]

undo portal server server-name user-sync

View

System view

Default level

2: System level

Parameters

server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.

user-sync: Enables the portal user synchronization function.

interval interval: Interval at which the router checks for user synchronization packets. The interval argument ranges from 60 to 3600 and defaults to 300, in seconds.

retry retries: Specifies the maximum number of consecutive failed checks. The retries argument ranges from 1 to 5 and defaults to 4. If the router finds that one of its users does not exist in the user synchronization packets from the portal server within N consecutive probe intervals (N = retries), it considers that the user does not exist on the portal server and logs the user off.

Description

Use the portal server user-sync command to configure portal user information synchronization with a specific portal server. With this function configured, the router periodically checks and responds to user synchronization packets received from the specified portal server, so as to keep its online user information consistent with that on the portal server.

Use the undo portal server user-sync command to cancel the portal user information synchronization configuration with the specified portal server.

By default, the portal user synchronization function is not configured.

The user information synchronization function requires that a portal server supports the portal user heartbeat function (currently only the portal server of iMC supports portal user heartbeat). To implement the portal user synchronization function, you also need to configure the user heartbeat function on the portal server and make sure that the user heartbeat interval configured on the portal server is shorter than or equal to the synchronization probe interval configured on the router.

Deleting a portal server on the router will delete the portal user synchronization configuration with the portal server.

If you configure the user synchronization function for a portal server for multiple times, the last configuration takes effect. If you do not specify an optional parameter, the default setting of the parameter will be used.

For redundant user information on the router, that is, information of the users considered as nonexistent on the portal server, the router will delete the information during the (N+1)th probe interval, where N equals to the value of retries configured in the portal server user-sync command.

Examples

# Configure the router to synchronize portal user information with portal server pts at an interval of 600 seconds and log off users whose information does not exist in the user synchronization packets received from the server in two consecutive probe intervals.

<Sysname> system-view

[Sysname] portal server pts user-sync interval 600 retry 2

reset portal connection statistics

Syntax

reset portal connection statistics { all | interface interface-type interface-number }

View

User view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

Description

Use the reset portal connection statistics command to clear portal connection statistics on a specific interface or all interfaces.

Examples

# Clear portal connection statistics on interface GigabitEthernet 3/2/1.

<Sysname> reset portal connection statistics interface GigabitEthernet3/2/1

reset portal server statistics

Syntax

reset portal server statistics { all | interface interface-type interface-number }

View

User view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

Description

Use the reset portal server statistics command to clear portal server statistics on a specific interface or all interfaces.

Examples

# Clear portal server statistics on interface GigabitEthernet 3/2/1.

<Sysname> reset portal server statistics interface GigabitEthernet3/2/1

reset portal tcp-cheat statistics

Syntax

reset portal tcp-cheat statistics

View

User view

Default level

1: Monitor level

Parameters

None

Description

Use the reset portal tcp-cheat statistics command to clear TCP spoofing statistics.

Examples

# Clear TCP spoofing statistics.

<Sysname> reset portal tcp-cheat statistics

10-Security Command Reference

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us