Table of Contents

Related Documents

05-Web authentication commands

Title	Size	Download
05-Web authentication commands	153.80 KB

Web authentication commands

display web-auth

Use display web-auth to display Web authentication configuration and running status on interfaces.

Syntax

display web-auth [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays Web authentication configuration for all interfaces.

Examples

# Display Web authentication configuration on Ten-GigabitEthernet 1/0/1.

<Sysname> display web-auth interface ten-gigabitethernet 1/0/1

Global Web-auth parameters:

HTTP proxy port numbers : Total 4 ports

1, 10, 100-101

HTTPS proxy port numbers : Total 5 ports

201, 203, 205, 207, 2011

Total online web-auth users : 1

Ten-GigabitEthernet1/0/1 is link-up

Port role : Authenticator

Web-auth domain : my-domain

Auth-Fail VLAN : Not configured

Offline-detect : Not configured

Max online users : 1024

Web-auth enable : Enabled

Host mode : Multiple-VLAN

Primary Web server : wbs1

Secondary Web server : wbs2

Web-auth MAC-VLAN : Enabled

Portal mac trigger server : mts1

Total online web-auth users: 1

# Display Web authentication configuration on DR interface Bridge-Aggregation 1.

<Sysname> display web-auth interface bridge-Aggregation1

Global Web-auth parameters:

HTTP proxy port numbers : Total 4 ports

1, 10, 100-101

HTTPS proxy port numbers : Total 5 ports

201, 203, 205, 207, 2011

Total online web-auth users : 1

Bridge-Aggregation1 is link-up

Port role : Authenticator

Web-auth domain : my-domain

DR member configuration conflict : Not conflicted

Auth-Fail VLAN : Not configured

Offline-detect : Not configured

Max online users : 1024

Web-auth enable : Enabled

Host mode : Multiple-VLAN

Primary Web server : wbs1

Secondary Web server : wbs2

Web-auth MAC-VLAN : Enabled

Total online web-auth users: 1

Table 1 Command output

Field	Description
Global Web-auth parameters	Global Web authentication configuration.
HTTP proxy port numbers	HTTP port numbers of the Web proxy servers.
HTTPS proxy port numbers	HTTPS port numbers of the Web proxy servers.
Total online web-auth users	Total number of online Web authentication users on the device.
Ten-GigabitEthernet1/0/1 is link-up	State of the interface: · link-up—The interface is both administratively and physically up. · link-down—The interface is down.
Port role	Role of the port. The port functions only as an Authenticator.
Web-auth domain	ISP domain used by Web authentication.
DR member configuration conflict	DR member configuration consistency check result: · Conflicted—The DR member devices have inconsistent configuration. · Not conflicted—The DR member devices have consistent configuration. · Unknown—The configuration consistency check failed.
Auth-fail VLAN	Auth-Fail VLAN for Web authentication. This field displays Not configured if no Auth-Fail VLAN is configured.
Offline-detect	Interval of Web authentication user detection. This field displays Not configured if online detection for Web authentication users is disabled.
Max online users	Maximum number of Web authentication users allowed on the interface.
Web-auth enable	State of Web authentication: · Enabled. · Disabled.
Host mode	Web authentication VLAN mode for users moving from one VLAN to another on the port: · Single VLAN—Single-VLAN mode. · Multiple VLAN—Multi-VLAN mode.
Primary Web server	Name of the primary Web server for Web authentication.
Secondary Web server	Name of the secondary Web server for Web authentication.
Web-auth MAC-VLAN	MAC-based VLAN status for Web authentication: Enabled or Disabled.
Portal mac trigger server	Name of the portal MAC binding server for Web authentication
Total online web-auth users	Total number of online Web authentication users on the interface.

display web-auth free-ip

Use display web-auth free-ip to display Web authentication-free subnets.

Syntax

display web-auth free-ip

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display Web authentication-free subnets.

<Sysname> display web-auth free-ip

Free IP

: 1.1.0.0 255.255.0.0

: 1.2.0.0 255.255.0.0

Related commands

web-auth free-ip

display web-auth server

Use display web-auth server to display Web server information for Web authentication.

Syntax

display web-auth server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies the name of a local or remote Web server, a case-sensitive string of 1 to 32 characters. If you do not specify a Web server, this command displays information about all Web servers.

Examples

# Display information about local Web server aaa for Web authentication.

<Sysname> display web-auth server aaa

Web server: aaa

Type : Local

IP address : 8.8.8.8

Port : 80

IPv6 address : 8:8::8:8

IPv6 port : 1

URL : http://abc/portal/

Redirect-wait-time : 5

URL parameters : Not configured

Server type : OAuth

# Display information about remote Web server bbb for Web authentication.

<Sysname> display web-auth server bbb

Web server: bbb

Type : Remote

IP address : 7.7.7.7

IPv6 address : 7:7::7:7

URL : http://abc/portal/

Track ID : 123

Server state : Active

URL parameters : Not configured

# Display information about all Web servers for Web authentication.

<Sysname> display web-auth server

Web server: aaa

Type : Local

IP address : 8.8.8.8

Port : 80

IPv6 address : 8:8::8:8

IPv6 port : 1

URL : http://abc/portal/

Redirect-wait-time : 5

URL parameters : Not configured

Server type : OAuth

Web server: bbb

Type : Remote

IP address : 7.7.7.7

IPv6 address : 7:7::7:7

URL : http://abc/portal/

Track ID : 123

Server state : Active

URL parameters : Not configured

Table 2 Command output

Field	Description
Type	Type of the Web server for Web authentication. · Local—Local Web server. · Remote—Remote Web server.
Web server	Name of the Web server for Web authentication.
IP address	IPv4 address of the Web server for Web authentication.
Port	Port number of the IPv4 local Web server for Web authentication. This field is available only for local Web servers.
IPv6 address	IPv6 address of the Web server for Web authentication.
IPv6 port	Port number of the IPv6 local Web server for Web authentication. This field is available only for local Web servers.
URL	Redirection URL of the Web server for Web authentication.
Track ID	ID of a track entry. If the Web server is not associated with Track, this field displays Not configured. This field is available only for remote Web servers.
Server state	State of the remote Web server for Web authentication: · Active—The remote Web server is reachable. · Inactive—The remote Web server is unreachable. This field is available only for remote Web servers.
Server type	Whether the Web authentication local Web server supports the oasis platform: · OAuth—The local Web server supports the Oasis platform. · Not configured—The local Web server does not support the Oasis platform.
Redirect-wait-time	Time before redirecting an authenticated user to the webpage requested by the user.
URL parameters	Parameters in the redirection URL.

display web-auth user

Use display web-auth user to display information about online Web authentication users on interfaces.

Syntax

display web-auth user [ drni [ local | peer ] ] [ interface interface-type interface-number | slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

drni: Specifies Web authentication users in a DR system. If you do not specify this keyword, the command displays information about online Web authentication users. If you specify this keyword and do not specify the following local or peer keyword, this command displays information about Web authentication users on all DR member devices.

local: Specifies Web authentication users on the local DR member device.

peer: Specifies Web authentication users on the peer DR member device.

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information about online Web authentication users on all interfaces.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays online Web authentication user information for all member devices.

Examples

# Display information about online Web authentication users on Ten-GigabitEthernet 1/0/1.

<Sysname> display web-auth user interface ten-gigabitethernet 1/0/1

Total online web-auth users: 1

User name: user1

MAC address: 0000-2700-b076

Access interface: Ten-GigabitEthernet 1/0/1

Initial VLAN: 1

Authorization VLAN: N/A

Authorization ACL ID: N/A

Authorization user profile: N/A

# Display Web authentication users on DR interface Bridge-Aggregation 1.

<Sysname> display web-auth user interface Bridge-Aggregation1

Total online web-auth users: 2

User name: user1

MAC address: 0000-2700-b013

DRNI NAS-IP type: Local

DRNI user state: Active

Access interface: Bridge-Aggregation1

Initial VLAN: 1

Authorization VLAN: N/A

Authorization ACL ID: N/A

Authorization user profile: N/A

User name: user1

MAC address: 0000-2710-b321

DRNI NAS-IP type: Peer

DRNI user state: Inactive

Access interface: Bridge-Aggregation2

Initial VLAN: 1

Authorization VLAN: N/A

Authorization ACL ID: N/A

Authorization user profile: N/A

Table 3 Command output

Field	Description
Total online web-auth users	Total number of online Web authentication users.
User Name	Name of the online Web authentication user.
MAC address	MAC address of the online Web authentication user.
DRNI NAS-IP type	Type of the NAS-IP address used on the DR interface in the DR system during Web authentication: · Local—The IP address of the local DR member device is used. · Peer—The IP address of the peer DR member device is used.
DRNI user state	Status of the user on the DR interface in the DR system: · Active—The user is active. The local DR member device exchanges the user authentication information with the AAA server. · Inactive—The user is inactive. The peer DR member device exchanges the user authentication information with the AAA server.
Access interface	Access interface of the online Web authentication user.
Initial VLAN	Initial VLAN of the user before the user passes Web authentication.
Authorization VLAN	Authorization VLAN ID of the online Web authentication user.
Authorization ACL ID	Authorization ACL number of the online Web authentication user.
Authorization user profile	Status of user profile of the online Web authentication user: · N/A—No user profile is authorized. · Active—The authorized user profile is applied to the user access interface successfully. · Inactive—The authorized user profile is not applied to the user access interface or the user profile does not exist on the device.

ip (Web authentication local Web server view)

Use ip to specify the IPv4 address and port number for a local Web server for Web authentication.

Use undo ip to restore the default.

Syntax

ip ipv4-address port port-number

undo ip

Default

No IPv4 address or port number is specified for a local Web server for Web authentication.

Views

Web authentication local Web server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the local Web server. This IP address is that of a Layer 3 interface on the access device and must be routable to and from the Web authentication user.

port port-number: Specifies the port number of the local Web server, in the range of 1 to 65535.

Usage guidelines

As a best practice, use the IP address of a loopback interface as the IP address of the local Web server. A loopback interface has the following advantages:

· The status of a loopback interface is stable. This can avoid authentication page access failures caused by interface failures.

· A loopback interface does not forward received packets. This can avoid impacting system performance when there are many network access requests.

The port number of the local Web server must be the same as the listening port number of the local portal Web service. For more information about the local portal Web service configuration, see portal authentication in Security Configuration Guide.

You can configure one IPv4 address and one IPv6 address for a local Web server.

If you execute this command multiple times for a local Web server, the most recent configuration takes effect.

Examples

# Enter the view of local Web server wbls.

<Sysname> system-view

[Sysname] web-auth server wbls

# Specify 192.168.1.1 as the IPv4 address and 8080 as the port number for the local Web server.

[Sysname-web-auth-server-wbls] ip 192.168.1.1 port 8080

Related commands

tcp-port

ip (Web authentication remote Web server view)

Use ip to specify the IPv4 address for a remote Web server for Web authentication.

Use undo ip to restore the default.

Syntax

ip ipv4-address

undo ip

Default

No IPv4 address is specified for a remote Web server for Web authentication.

Views

Web authentication remote Web server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the remote Web server.

Usage guidelines

The IPv4 address of the remote Web server must be the IPv4 address of the portal Web server used for Web authentication.

You can configure one IPv4 address and one IPv6 address for a remote Web server.

If you execute this command multiple times for a remote Web server, the most recent configuration takes effect.

Examples

# Enter the view of remote Web server wbrs.

<Sysname> system-view

[Sysname] web-auth remote server wbrs

# Specify 1.2.3.4 as the IPv4 address of the remote Web server.

[Sysname-web-auth-remote-server-wbrs] ip 1.2.3.4

ipv6 (Web authentication local Web server view)

Use ipv6 to specify the IPv6 address and port number for a local Web server for Web authentication.

Use undo ipv6 to restore the default.

Syntax

ipv6 ipv6-address port port-number

undo ip

Default

No IPv6 address or port number is specified for a local Web server for Web authentication.

Views

Web authentication local Web server view

Predefined user roles

network-admin

Parameters

Ipv6-address: Specifies the IPv6 address of the local Web server. This IPv6 address is that of a Layer 3 interface on the access device and must be routable to and from the Web authentication user.

port port-number: Specifies the port number of the local Web server, in the range of 1 to 65535.

Usage guidelines

As a best practice, use the IPv6 address of a loopback interface as the IPv6 address of the local Web server. A loopback interface has the following advantages:

· The status of a loopback interface is stable. This can avoid authentication page access failures caused by interface failures.

· A loopback interface does not forward received packets. This can avoid impacting system performance when there are many network access requests.

You can configure one IPv4 address and one IPv6 address for a local Web server.

If you execute this command multiple times for a local Web server, the most recent configuration takes effect.

Examples

# Enter the view of local Web server wbls.

<Sysname> system-view

[Sysname] web-auth server wbls

# Specify 1:2::3:4 as the IPv6 address and 8080 as the port number for the local Web server.

[Sysname-web-auth-server-wbls] ipv6 1:2::3:4 port 8080

Related commands

tcp-port

ipv6 (Web authentication remote Web server view)

Use ipv6 to specify the IPv6 address for a remote Web server for Web authentication.

Use undo ipv6 to restore the default.

Syntax

ipv6 ipv6-address

undo ipv6

Default

No IPv6 address is specified for a remote Web server for Web authentication.

Views

Web authentication remote Web server view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv4 address of the remote Web server.

Usage guidelines

The IPv6 address of the remote Web server must be the IPv6 address of the portal Web server used for Web authentication.

You can configure one IPv4 address and one IPv6 address for a remote Web server.

If you execute this command multiple times for a remote Web server, the most recent configuration takes effect.

Examples

# Enter the view of remote Web server wbrs.

<Sysname> system-view

[Sysname] web-auth remote server wbrs

# Specify 1:2::3:4 as the IPv4 address of the remote Web server.

[Sysname-web-auth-remote-server-wbrs] ipv6 1:2::3:4

redirect-wait-time

Use redirect-wait-time to set the redirection wait time. After a user passes Web authentication, the device waits for the specified period of time before redirecting the user to the specified webpage.

Use undo redirect-wait-time to restore the default.

Syntax

redirect-wait-time period

undo redirect-wait-time

Default

The redirection wait time is 5 seconds.

Views

Web authentication local server view

Predefined user roles

network-admin

Parameters

period: Specifies the redirection wait time in the range of 1 to 90 seconds.

Usage guidelines

After a user passes Web authentication and is assigned an authorization VLAN, the user might need to change the IP address of the authentication client. To ensure that the redirection URL can be successfully opened, set the redirection wait time to be greater than the time that the user takes to update the IP address of the client.

Examples

# Set the redirection wait time for authenticated users to 10 seconds.

<Sysname> system-view

[Sysname] web-auth server wbls

[Sysname-web-auth-server-wbls] redirect-wait-time 10

url

Use url to specify the redirection URL for a Web server for Web authentication.

Use undo url to restore the default.

Syntax

url url-string [ track track-entry-number ]

undo url

Default

No redirection URL is specified for a Web server for Web authentication.

Views

Web authentication server view

Predefined user roles

network-admin

Parameters

url-string: Specifies the redirection URL of the Web server, a case-sensitive string of 1 to 256 characters. The URL string must start with http:// or https:// and can include question marks (?). If you enter a question mark (?) in the place of this argument, the CLI does not display help information for this argument. The IP address and port number in the URL must be the same as those of the local Web server for Web authentication.

track track-entry-number: Associates a track entry with the Web server to detect the server state changes. The track-entry-number argument specifies the ID of the associated track entry, in the range of 1 to 1024. This option is configurable only in remote Web server view.

Usage guidelines

By default, the state of the Web server specified by the redirection URL is always active. The device cannot obtain the real server state. When primary and secondary Web servers are deployed for continuous authentication service, the device needs to quickly obtain the primary server's state changes to perform primary/secondary switchovers accordingly.

You can associate the Web server with a track entry that is associated with NQA, so the device can periodically detect the reachability of the server through NQA.

· The Track module changes the state of the track entry according to the NQA detection result. The device changes the state of the Web server according to the state of the track entry.

· In this way, if NQA detects that the Web server becomes reachable, the device will set the server state to active. If NQA detects that the Web server becomes unreachable, the device will set the server state to inactive.

The NQA detection for server reachability is performed according to the nqa schedule configuration, which schedules the NQA operation associated with the track entry. Configure the NQA operation time and other detection parameters as needed.

For more information about the NQA configuration, see Network Management and Monitoring Configuration Guide. For more information about the Track configuration, see High Availability Configuration Guide.

To provide Web authentication pages for both IPv4 and IPv6 Web authentication users, configure the redirection URL to carry the domain name of the Web server. Example: http://abc.com, where abc.com is the domain name of the Web server.

To deploy both primary and secondary Web servers, you must associate the primary Web server with a track entry to monitor the reachability status of the server. Otherwise, the device cannot sense the reachability state changes of the primary server to perform primary/secondary switchovers.

A Web server can be associated with only one track entry. If you associate Track with the Web server multiple times, the most recent configuration takes effect.

Examples

# Specify http://192.168.1.1:80/portal/ as the redirection URL of local Web server wbs for Web authentication.

<Sysname> system-view

[Sysname] web-auth server wbls

[Sysname-web-auth-server-wbls] url http://192.168.1.1:80/portal/

# Specify http://192.168.1.1:80/portal/ as the redirection URL of remote Web server wbs for Web authentication, and associate the Web server with track entry 1.

[Sysname] web-auth remote server wbrs

[Sysname-web-auth-remote-server-wbrs] url http://192.168.1.1:80/portal/ track 1

Related commands

nqa schedule (Network Management and Monitoring Command Reference)

tcp-port

track nqa (High Availability Command Reference)

web-auth enable

url-parameter

Use url-parameter to add parameters to the redirection URL of Web authentication.

Use undo url-parameter to delete parameters from the redirection URL of Web authentication.

Syntax

url-parameter parameter-name { original-url | source-address | source-mac | value expression }

undo url-parameter parameter-name

Default

No URL parameters are added to the redirection URL of Web authentication.

Views

Web authentication local server view

Web authentication remote server view

Predefined user roles

network-admin

Parameters

parameter-name: Specifies a URL parameter name, a case-sensitive string of 1 to 32 characters. Content of the parameter is determined by the following keyword you specify.

original-url: Specifies the URL of the original webpage that a portal user visits.

source-address: Specifies the user IP address.

source-mac: Specifies the user MAC address.

value expression: Specifies a custom case-sensitive string of 1 to 256 characters. The string can include question marks (?). If you enter a question mark (?) in the place of the expression argument, the CLI does not display help information for this argument.

Usage guidelines

You can repeat this command to add multiple URL parameters to the redirection URL of Web authentication. For example, to add the user IP address and a custom string of http://www.abc.com/welcome to the redirection URL, execute the following commands:

· url-parameter userip source-address.

· url-parameter userurl value http://www.abc.com/welcome.

The device will redirect Web requests from IP address 1.1.1.1 to the URL at http://192.168.1.1/portal?userip=1.1.1.1&userurl=http://www.abc.com/welcome.

If you execute this command multiple times to configure the same URL parameter, the most recent configuration takes effect.

When you configure the parameter-name argument in this command, you must use the URL parameter name supported by the Web browser. Different Web browsers support different URL parameter names.

Examples

# Add parameters userip and userurl to the redirection URL of local Web server wbs.

<Sysname> system-view

[Sysname] web-auth server wbls

[Sysname-web-auth-server-wbls] url-parameter userip source-address

[Sysname-web-auth-server-wbls] url-parameter userurl value http://www.abc.com/welcome

Related commands

web-auth server

web-auth apply portal mac-trigger-server

Use web-auth apply portal mac-trigger-server to apply a portal MAC binding server for Web authentication.

Use undo web-auth apply portal mac-trigger-server to restore the default.

Syntax

web-auth apply portal mac-trigger-server server-name

undo web-auth apply portal mac-trigger-server

Default

No portal MAC binding server is applied for Web authentication.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

server-name: Name of a portal MAC binding server, a case-sensitive string of 1 to 32 characters.

Usage guidelines

In Web authentication scenarios where valid users need to frequently access the network, you can configure MAC-based quick authentication to allow the users to pass Web authentication without manually entering the authentication information.

MAC-based quick authentication is also called MAC-trigger authentication or transparent authentication. It requires a portal MAC binding server.

When a user accesses the network, the access device sends the user's MAC address in a query message to the portal MAC binding server. If the portal MAC binding server finds user authentication information bound to the MAC address, it sends the user authentication information to the access device to initiate Web authentication. The user is authenticated without entering the username and password.

This feature supports only IPv4 portal MAC binding servers, and the server type must be Oasis platform.

To make the MAC-based quick authentication take effect, complete the following tasks:

· Complete the normal Layer 2 Web authentication configuration.

· Configure the IP address and port number of the portal MAC binding server to be used.

· Apply the portal MAC binding server to a Layer 2 Ethernet interface or Layer 2 aggregate interface.

Examples

# Apply portal MAC binding server mts to Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname–Ten-GigabitEthernet1/0/1] web-auth apply portal mac-trigger-server mts

Related commands

portal mac-trigger-server

server-type (portal authentication server view or portal Web server view)

web-auth auth-fail vlan

Use web-auth auth-fail vlan to specify an Auth-Fail VLAN for Web authentication.

Use undo web-auth auth-fail vlan to restore the default.

Syntax

web-auth auth-fail vlan authfail-vlan-id

undo web-auth auth-fail vlan

Default

No Auth-Fail VLAN is specified for Web authentication.

Views

Layer 2 aggregate interface view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

authfail-vlan-id: Specifies the Auth-Fail VLAN ID in a range of 1 to 4094. The specified VLAN must already exist.

Usage guidelines

After you configure this command on an interface, users who failed Web authentication on the interface can access resources in the Auth-Fail VLAN. You must also configure the IP address of the server that provides the resources as an authentication-free IP address.

To make the Auth-Fail VLAN take effect, you must also enable MAC-based VLAN on the interface, and set the subnet of the Auth-Fail VLAN as the Web authentication-free subnet.

Because MAC-based VLAN takes effect only on Hybrid ports, Auth-Fail VLAN also takes effect only on Hybrid ports.

If a user fails Web authentication, the device maps the MAC address of the user to the Auth-Fail VLAN.

You cannot delete the VLAN that has been configured as an Auth-Fail VLAN. To delete this VLAN, first cancel the Auth-Fail VLAN configuration by using undo web-auth auth-fail vlan command.

If a VLAN is specified as the super VLAN, do not configure this VLAN as an Auth-Fail VLAN of an interface. If a VLAN is specified as an Auth-Fail VLAN of an interface, do not configure this VLAN as a super VLAN.

Examples

# Specify VLAN 5 as Web authentication Auth-Fail VLAN on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname–Ten-GigabitEthernet1/0/1] port link-type hybrid

[Sysname–Ten-GigabitEthernet1/0/1] mac-vlan enable

[Sysname–Ten-GigabitEthernet1/0/1] web-auth auth-fail vlan 5

Related commands

display web-auth

web-auth timer temp-entry-aging

web-auth domain

Use web-auth domain to specify an authentication domain for Web authentication users on an interface.

Use undo web-auth domain to restore the default.

Syntax

web-auth domain domain-name

undo web-auth domain

Default

No authentication domain is specified for Web authentication users on an interface.

Views

Layer 2 aggregate interface view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP authentication domain name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

After you configure this command, the device uses the authentication domain for authentication, authorization and accounting (AAA) of the Web authentication users on the interface.

Examples

# Specify domain my-domain as the authentication domain of Web authentication users on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname–Ten-GigabitEthernet1/0/1] web-auth domain my-domain

web-auth enable

Use web-auth enable to enable Web authentication.

Use undo web-auth enable to disable Web authentication.

Syntax

web-auth enable apply server primary-server-name [ secondary-server secondary-server-name ]

undo web-auth enable

Default

Web authentication is disabled.

Views

Layer 2 aggregate interface view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

primary-server-name: Specifies the name of the primary Web server for Web authentication, a case-sensitive string of 1 to 32 characters.

secondary-server secondary-server-name: Specifies the name of the secondary Web server for Web authentication, a case-sensitive string of 1 to 32 characters.

Usage guidelines

Use this command to enable Web authentication on an interface and specify a primary or a secondary Web server.

For Web authentication to operate correctly, do not enable port security or configure the port security mode on the Layer 2 interface enabled with Web authentication.

To deploy both primary and secondary Web servers, follow these restrictions and guidelines:

· Only a remote Web server can be used as the primary Web server. A remote or local Web server can be used as the secondary Web server.

· Associate the primary Web server with a track entry (by using the url url-string track track-entry-number command) to monitor the reachability status of the server. Otherwise, the device cannot sense the reachability state changes of the primary server to perform primary/secondary switchovers.

Examples

# Enable Web authentication and specify primary Web server wbs1 and secondary Web server wbs2 on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] web-auth enable apply server wbs1 secondary-server wbs2

Related commands

display web-auth

url

web-auth server

web-auth free-host

Use web-auth free-host to configure a Web authentication-free destination host name.

Use undo web-auth free-host to restore the default.

Syntax

web-auth free-host host-name

undo web-auth free-host { host-name | all }

Default

No Web authentication-free destination host names exist.

Views

System view

Predefined user roles

network-admin

Parameters

host-name: Specifies a host name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, hyphens (-), underscores (_), and dots (.).

all: Specifies all Web authentication-free destination host names.

Usage guidelines

Before configuring Web authentication-free destination host names, make sure a DNS server has been deployed on the network, or the host name-to-IPv4 address mappings have been configured by using the ip host command. For more information about the ip host command, see DNS commands in Layer 3—IP Services Command Reference.

Web authentication users can access the specified host resources without being authenticated.

You can repeat this command to configure multiple Web authentication-free host names.

The Web authentication-free host names support only precise matching. For example, Web authentication-free host name abc.com.cn matches only HTTP/HTTPS request packets that contain the host name of abc.com.cn. It does not match packets that contain host name dfabc.com.cn.

Examples

# Configure Web authentication-free host name www.abc.com.

<Sysname> system-view

[Sysname] web-auth free-host www.abc.com

Related commands

web-auth free-ip

Use web-auth free-ip to specify a Web authentication-free subnet.

Use undo web-auth free-ip to restore the default.

Syntax

web-auth free-ip ip-address { mask-length | mask }

undo web-auth free-ip { ip-address { mask-length | mask } | all }

Default

No Web-authentication-free subnets exist.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the Web authentication-free subnet address.

mask-length : Specifies the mask length of the Web authentication-free subnet address, in the range of 1 to 32.

mask: Specifies a mask for the Web authentication-free subnet in dotted decimal notation.

all: Specifies all Web authentication-free subnets.

Usage guidelines

Web authentication users can access resources in Web authentication-free subnets without being authenticated.

You can repeat this command to configure multiple Web authentication-free subnets.

Examples

# Configure subnet 192.168.0.0/24 as a Web authentication-free subnet.

<Sysname> system-view

[Sysname] web-auth free-ip 192.168.0.0 24

web-auth host-mode multi-vlan

Use web-auth host-mode multi-vlan to enable multi-VLAN mode for Web authentication users on a port.

Use undo web-auth host-mode multi-vlan to restore the default.

Syntax

web-auth host-mode multi-vlan

undo web-auth host-mode multi-vlan

Default

Web authentication operates in single-VLAN mode on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

In multi-VLAN mode, the port forwards traffic from a user in different VLANs without reauthentication if the user has been authenticated and come online in any VLAN on the port.

In single-VLAN mode, the port reauthenticates an online user when traffic received from that user contains a VLAN tag different from the VLAN in which the user was authenticated. The authentication process differs depending on the MAC move setting in port security and the authorization VLAN assignment status, as follows:

· If no authorization VLAN has been assigned to the online user, the device first logs off the user and then reauthenticates the user in the new VLAN.

· If the online user has been assigned an authorization VLAN, the device handles the user depending on the MAC move setting in port security.

¡ If MAC move is disabled in port security, the user cannot pass authentication and come online from the new VLAN until after it goes offline from the port.

¡ If MAC move is enabled in port security, the user can pass authentication on the new VLAN and come online without having to first go offline from the port. After the user passes authentication on the new VLAN, the original authentication session of the user is deleted from the port.

To enable the port security MAC move feature, use the port-security mac-move permit command.

Examples

# Enable Web authentication multi-VLAN mode on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] web-auth host-mode multi-vlan

Related commands

display web-auth

port-security mac-move permit

web-auth max-user

Use web-auth max-user to set the maximum number of Web authentication users allowed on an interface.

Use undo web-auth max-user to restore the default.

Syntax

web-auth max-user max-number

undo web-auth max number

Default

The maximum number of Web authentication users allowed on an interface is 1024.

Views

Layer 2 aggregate interface view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of Web authentication users allowed on an interface. The value range for this argument is 1 to 2048.

Usage guidelines

If the specified maximum number is smaller than the number of current online Web authentication users on the interface, the limit can be set successfully. The limit does not impact the online Web authentication users. However, the device does not allow new Web authentication users to log in from the interface until the number drops down below the limit.

This command specifies the maximum number of only IPv4 Web authentication users.

Examples

# On Ten-GigabitEthernet 1/0/1, set the maximum number of Web authentication users to 32.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] web-auth max-user 32

Related commands

display web-auth

web-auth offline-detect

Use web-auth offline-detect to enable online detection of Web authentication users.

Use undo web-auth max-user to disable online detection of Web authentication users.

Syntax

web-auth offline-detect interval interval

undo web-auth offline-detect interval

Default

Online detection of Web authentication users is disabled.

Views

Layer 2 aggregate interface view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

interval: Specifies the Web authentication user detection interval, in the range of 60 to 65535 seconds.

Usage guidelines

This feature enables the device to detect packets of an online user at the specified detection interval. If no packet from the user is received within the interval, the device logs out the user and notifies the RADIUS server to stop accounting for the user.

To prevent the device from mistakenly logging out users, set the detection interval to be the same as the aging time of MAC address entries.

This feature does not take effect if Web authentication on the port operates in multi-VLAN mode.

Examples

# On Ten-GigabitEthernet 1/0/1, enable online detection of Web authentication users and set the detection interval to 3600 seconds.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] web-auth offline-detect interval 3600

web-auth proxy port

Use web-auth proxy port to add the port number of a Web proxy server.

Use undo web-auth proxy port to delete one or all Web proxy server port numbers.

Syntax

web-auth proxy [ https ] port port-number

undo web-auth proxy { all-port | [ https ] port port-number }

Default

No Web proxy server port numbers are configured on the device.

Views

System view

Predefined user roles

network-admin

Parameters

all-port: Specifies all TCP port numbers of Web proxy servers.

https: Specifies the HTTPS service. If you do not specify this keyword, this command applies to the HTTP service.

port number: Specifies the TCP port number of a Web proxy server. The value range for this argument is 1 to 65535. Do not specify TCP port number 80 or 443 because 80 and 443 are port numbers reserved for Web authentication.

Usage guidelines

By default, HTTP or HTTPS requests proxied by Web proxy servers cannot trigger Web authentication but are silently dropped. To allow such HTTP or HTTPS requests to trigger Web authentication, specify the port numbers of the Web proxy servers on the device.

Do not specify the same Web proxy server port number for HTTP and HTTPS.

If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover Web proxy servers, follow these restrictions and guidelines:

· Specify the port numbers of the Web proxy servers on the device.

· Configure a Web authentication-free rule on the device to allow user packets destined for the IP address of the WPAD server to pass without authentication.

· Users must add the IP address of the Web server for Web authentication as a proxy exception in their browsers. Then, HTTP or HTTPS packets that the users send to the Web server for Web authentication will not be sent to Web proxy servers.

You can repeat this command to add the port numbers of multiple Web proxy servers for Web authentication.

Examples

# Specify TCP port number 7777 as a Web proxy server port that allows HTTP requests to trigger Web authentication.

<Sysname> system-view

[Sysname] web-auth proxy port 7777

Related commands

display web-auth

web-auth server

Use web-auth server to create a local or remote Web server for Web authentication and enter its view, or enter the view of an existing Web server.

Use undo web-auth server to delete a local or remote Web server for Web authentication.

Syntax

web-auth [ remote ] server server-name

undo web-auth [ remote ] server server-name

Default

No Web servers for Web authentication exist.

Views

System view

Predefined user roles

network-admin

Parameters

remote: Specifies the remote Web server. If you do not specify this keyword, this command configures a local Web server.

server server-name: Specifies a Web authentication server name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

In local or remote Web server view, you can configure the following parameters and features for the Web server:

· IP address of the server.

· Redirection URL.

· Parameters to be carried in the redirection URL.

The local and remote Web servers cannot use the same name.

Examples

# Create a local Web server named wbls for Web authentication and enter Web authentication local Web server view.

<Sysname> system-view

[Sysname] web-auth server wbls

New Web server was added for local Web authentication.

[Sysname-web-auth-server-wbls]

# Create a local Web server named wbrs for Web authentication and enter Web authentication remote Web server view.

<Sysname> system-view

[Sysname] web-auth remote server wbrs

New Web server was added for remote Web authentication.

[Sysname-web-auth-remote-server-wbrs]

Related commands

web-auth enable

web-auth timer temp-entry-aging

Use web-auth timer temp-entry-aging to configure the aging timer for temporary MAC address entries.

Use undo web-auth timer temp-entry-aging to restore the default.

Syntax

web-auth timer temp-entry-aging aging-time-value

undo web-auth timer temp-entry-aging

Default

The aging timer for temporary MAC address entries is 60 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

aging-time-value: Specifies the aging timer in seconds for temporary MAC address entries, in the range of 60 to 2147483647.

Usage guidelines

If Web authentication is enabled, the device generates a temporary MAC address entry when it detects traffic from a user for the first time. The entry records the MAC address, access interface, and VLAN ID of the user, as well as the aging time of the entry.

The aging timer works as follows:

· If the user does not initiate authentication when the aging timer expires, the device deletes the temporary entry.

· If the user passes authentication before the aging timer expires, the device delete the aging timer and records online information for the Web authentication user.

· If the user fails authentication before the aging timer expires and an Auth-Fail VLAN is specified for Web authentication, the device binds the MAC address of the user to the Auth-fail VLAN and reset the aging timer. If the user still fails authentication when the aging timer expires, the device deletes the temporary entry for the user.

As a best practice, change the aging timer to a bigger value in the following cases:

· Web authentication users without access rights frequently send traffic in a short time. As a result, the access device continuously initiates the web authentication process, increasing the load on the device.

· When a user fails authentication, the user does not have enough time to obtain resources from the Auth-Fail VLAN, for example, it failed to download the virus patches.

Examples

# Set the aging timer for temporary MAC address entries to 500 seconds.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] web-auth mac-vlan enable

Related commands

mac-vlan enable

web-auth enable

09-Security Command Reference

ip (Web authentication local Web server view)

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us