Login
- Table of Contents
-
- 09-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Web authentication commands
- 06-Port security commands
- 07-User profile commands
- 08-Password control commands
- 09-Keychain commands
- 10-Public key management commands
- 11-PKI commands
- 12-IPsec commands
- 13-SSH commands
- 14-SSL commands
- 15-TCP attack prevention commands
- 16-IP source guard commands
- 17-ARP attack protection commands
- 18-ND attack defense commands
- 19-uRPF commands
- 20-SAVI commands
- 21-MFF commands
- 22-Crypto engine commands
- 23-FIPS commands
- 24-802.1X client commands
- 25-Attack detection and prevention commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Web authentication commands | 131.71 KB |
ip (Web authentication local Web server view)
ip (Web authentication remote Web server view)
ipv6 (Web authentication local Web server view)
ipv6 (Web authentication remote Web server view)
Web authentication commands
display web-auth
Use display web-auth to display Web authentication configuration and running status on interfaces.
Syntax
display web-auth [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays Web authentication configuration for all interfaces.
Examples
# Display Web authentication configuration on GigabitEthernet 1/0/1.
<Sysname> display web-auth interface gigabitethernet 1/0/1
Global Web-auth parameters:
HTTP proxy port numbers : Total 4 ports
1, 10, 100-101
HTTPS proxy port numbers : Total 5 ports
201, 203, 205, 207, 2011
Total online web-auth users : 1
GigabitEthernet1/0/1 is link-up
Port role : Authenticator
Web-auth domain : my-domain
Auth-Fail VLAN : Not configured
Offline-detect : Not configured
Max online users : 1024
Web-auth enable : Enabled
Host mode : Multiple-VLAN
Primary Web server : wbs1
Secondary Web server : wbs2
Total online web-auth users: 1
Table 1 Command output
|
Field |
Description |
|
Global Web-auth parameters |
Global Web authentication configuration. |
|
HTTP proxy port numbers |
HTTP port numbers of the Web proxy servers. |
|
HTTPS proxy port numbers |
HTTPS port numbers of the Web proxy servers. |
|
Total online web-auth users |
Total number of online Web authentication users on the device. |
|
GigabitEthernet1/0/1 is link-up |
State of the interface: · link-up—The interface is both administratively and physically up. · link-down—The interface is down. |
|
Port role |
Role of the port. The port functions only as an Authenticator. |
|
Web-auth domain |
ISP domain used by Web authentication. |
|
Auth-fail VLAN |
Auth-Fail VLAN for Web authentication. This field displays Not configured if no Auth-Fail VLAN is configured. |
|
Offline-detect |
Interval of Web authentication user detection. This field displays Not configured if online detection for Web authentication users is disabled. |
|
Max online users |
Maximum number of Web authentication users allowed on the interface. |
|
Web-auth enable |
State of Web authentication: · Enabled. · Disabled. |
|
Host mode |
Web authentication VLAN mode for users moving from one VLAN to another on the port: · Single VLAN—Single-VLAN mode. · Multiple VLAN—Multi-VLAN mode. |
|
Primary Web server |
Name of the primary Web server for Web authentication. |
|
Secondary Web server |
Name of the secondary Web server for Web authentication. |
|
Total online web-auth users |
Total number of online Web authentication users on the interface. |
display web-auth free-ip
Use display web-auth free-ip to display Web authentication-free subnets.
Syntax
display web-auth free-ip
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display Web authentication-free subnets.
<Sysname> display web-auth free-ip
Free IP
: 1.1.0.0 255.255.0.0
: 1.2.0.0 255.255.0.0
Related commands
web-auth free-ip
display web-auth server
Use display web-auth server to display Web server information for Web authentication.
Syntax
display web-auth server [ server-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
server-name: Specifies the name of a local or remote Web server, a case-sensitive string of 1 to 32 characters. If you do not specify a Web server, this command displays information about all Web servers.
Examples
# Display information about local Web server aaa for Web authentication.
<Sysname> display web-auth server aaa
Web server: aaa
Type : Local
IP address : 8.8.8.8
Port : 80
IPv6 address : 8:8::8:8
IPv6 port : 1
URL : http://abc/portal/
Redirect-wait-time : 5
URL parameters : Not configured
# Display information about remote Web server bbb for Web authentication.
<Sysname> display web-auth server bbb
Web server: bbb
Type : Remote
IP address : 7.7.7.7
IPv6 address : 7:7::7:7
URL : http://abc/portal/
Track ID : 123
Server state : Active
URL parameters : Not configured
# Display information about all Web servers for Web authentication.
<Sysname> display web-auth server
Web server: aaa
Type : Local
IP address : 8.8.8.8
Port : 80
IPv6 address : 8:8::8:8
IPv6 port : 1
URL : http://abc/portal/
Redirect-wait-time : 5
URL parameters : Not configured
Web server: bbb
Type : Remote
IP address : 7.7.7.7
IPv6 address : 7:7::7:7
URL : http://abc/portal/
Track ID : 123
Server state : Active
URL parameters : Not configured
Table 2 Command output
|
Field |
Description |
|
Type |
Type of the Web server for Web authentication. · Local—Local Web server. · Remote—Remote Web server. |
|
Web server |
Name of the Web server for Web authentication. |
|
IP address |
IPv4 address of the Web server for Web authentication. |
|
Port |
Port number of the IPv4 local Web server for Web authentication. This field is available only for local Web servers. |
|
IPv6 address |
IPv6 address of the Web server for Web authentication. |
|
IPv6 port |
Port number of the IPv6 local Web server for Web authentication. This field is available only for local Web servers. |
|
URL |
Redirection URL of the Web server for Web authentication. |
|
Track ID |
ID of a track entry. If the Web server is not associated with Track, this field displays Not configured. This field is available only for remote Web servers. |
|
Server state |
State of the remote Web server for Web authentication: · Active—The remote Web server is reachable. · Inactive—The remote Web server is unreachable. This field is available only for remote Web servers. |
|
Time before redirecting an authenticated user to the webpage requested by the user. |
|
|
URL parameters |
Parameters in the redirection URL. |
display web-auth user
Use display web-auth user to display information about online Web authentication users on interfaces.
Syntax
display web-auth user [ interface interface-type interface-number | slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays information about online Web authentication users on all interfaces.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays online Web authentication user information for all member devices.
Examples
# Display information about online Web authentication users on GigabitEthernet 1/0/1.
<Sysname> display web-auth user interface gigabitethernet 1/0/1
Total online web-auth users: 1
User name: user1
MAC address: 0000-2700-b076
Access interface: GigabitEthernet 1/0/1
Initial VLAN: 1
Authorization VLAN: N/A
Authorization ACL ID: N/A
Authorization user profile: N/A
Table 3 Command output
|
Field |
Description |
|
Total online web-auth users |
Total number of online Web authentication users. |
|
User Name |
Name of the online Web authentication user. |
|
MAC address |
MAC address of the online Web authentication user. |
|
Access interface |
Access interface of the online Web authentication user. |
|
Initial VLAN |
Initial VLAN of the user before the user passes Web authentication. |
|
Authorization VLAN |
Authorization VLAN ID of the online Web authentication user. |
|
Authorization ACL ID |
Authorization ACL number of the online Web authentication user. |
|
Authorization user profile |
Status of user profile of the online Web authentication user: · N/A—No user profile is authorized. · Active—The authorized user profile is applied to the user access interface successfully. · Inactive—The authorized user profile is not applied to the user access interface or the user profile does not exist on the device. |
ip (Web authentication local Web server view)
Use ip to specify the IPv4 address and port number for a local Web server for Web authentication.
Use undo ip to restore the default.
Syntax
ip ipv4-address port port-number
undo ip
Default
No IPv4 address or port number is specified for a local Web server for Web authentication.
Views
Web authentication local Web server view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the local Web server. This IP address is that of a Layer 3 interface on the access device and must be routable to and from the Web authentication user.
port port-number: Specifies the port number of the local Web server, in the range of 1 to 65535.
User guidelines
As a best practice, use the IP address of a loopback interface as the IP address of the local Web server. A loopback interface has the following advantages:
· The status of a loopback interface is stable. This can avoid authentication page access failures caused by interface failures.
· A loopback interface does not forward received packets. This can avoid impacting system performance when there are many network access requests.
The port number of the local Web server must be the same as the listening port number of the local portal Web service. For more information about the local portal Web service configuration, see portal authentication in Security Configuration Guide.
You can configure one IPv4 address and one IPv6 address for a local Web server.
If you execute this command multiple times for a local Web server, the most recent configuration takes effect.
Examples
# Enter the view of local Web server wbls.
<Sysname> system-view
[Sysname] web-auth server wbls
# Specify 192.168.1.1 as the IPv4 address and 8080 as the port number for the local Web server.
[Sysname-web-auth-server-wbls] ip 192.168.1.1 port 8080
Related commands
tcp-port
ip (Web authentication remote Web server view)
Use ip to specify the IPv4 address for a remote Web server for Web authentication.
Use undo ip to restore the default.
Syntax
ip ipv4-address
undo ip
Default
No IPv4 address is specified for a remote Web server for Web authentication.
Views
Web authentication remote Web server view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the remote Web server.
User guidelines
The IPv4 address of the remote Web server must be the IPv4 address of the portal Web server used for Web authentication.
You can configure one IPv4 address and one IPv6 address for a remote Web server.
If you execute this command multiple times for a remote Web server, the most recent configuration takes effect.
Examples
# Enter the view of remote Web server wbrs.
<Sysname> system-view
[Sysname] web-auth remote server wbrs
# Specify 1.2.3.4 as the IPv4 address of the remote Web server.
[Sysname-web-auth-remote-server-wbrs] ip 1.2.3.4
ipv6 (Web authentication local Web server view)
Use ipv6 to specify the IPv6 address and port number for a local Web server for Web authentication.
Use undo ipv6 to restore the default.
Syntax
ipv6 ipv6-address port port-number
undo ip
Default
No IPv6 address or port number is specified for a local Web server for Web authentication.
Views
Web authentication local Web server view
Predefined user roles
network-admin
Parameters
Ipv6-address: Specifies the IPv6 address of the local Web server. This IPv6 address is that of a Layer 3 interface on the access device and must be routable to and from the Web authentication user.
port port-number: Specifies the port number of the local Web server, in the range of 1 to 65535.
User guidelines
As a best practice, use the IPv6 address of a loopback interface as the IPv6 address of the local Web server. A loopback interface has the following advantages:
· The status of a loopback interface is stable. This can avoid authentication page access failures caused by interface failures.
· A loopback interface does not forward received packets. This can avoid impacting system performance when there are many network access requests.
The port number of the local Web server must be the same as the listening port number of the local portal Web service. For more information about the local portal Web service configuration, see portal authentication in Security Configuration Guide.
You can configure one IPv4 address and one IPv6 address for a local Web server.
If you execute this command multiple times for a local Web server, the most recent configuration takes effect.
Examples
# Enter the view of local Web server wbls.
<Sysname> system-view
[Sysname] web-auth server wbls
# Specify 1:2::3:4 as the IPv6 address and 8080 as the port number for the local Web server.
[Sysname-web-auth-server-wbls] ipv6 1:2::3:4 port 8080
Related commands
tcp-port
ipv6 (Web authentication remote Web server view)
Use ipv6 to specify the IPv6 address for a remote Web server for Web authentication.
Use undo ipv6 to restore the default.
Syntax
ipv6 ipv6-address
undo ipv6
Default
No IPv6 address is specified for a remote Web server for Web authentication.
Views
Web authentication remote Web server view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv4 address of the remote Web server.
User guidelines
The IPv6 address of the remote Web server must be the IPv6 address of the portal Web server used for Web authentication.
You can configure one IPv4 address and one IPv6 address for a remote Web server.
If you execute this command multiple times for a remote Web server, the most recent configuration takes effect.
Examples
# Enter the view of remote Web server wbrs.
<Sysname> system-view
[Sysname] web-auth remote server wbrs
# Specify 1:2::3:4 as the IPv4 address of the remote Web server.
[Sysname-web-auth-remote-server-wbrs] ipv6 1:2::3:4
redirect-wait-time
Use redirect-wait-time to set the redirection wait time. After a user passes Web authentication, the device waits for the specified period of time before redirecting the user to the specified webpage.
Use undo redirect-wait-time to restore the default.
Syntax
redirect-wait-time period
undo redirect-wait-time
Default
The redirection wait time is 5 seconds.
Views
Web authentication local server view
Predefined user roles
network-admin
Parameters
period: Specifies the redirection wait time in the range of 1 to 90 seconds.
Usage guidelines
After a user passes Web authentication and is assigned an authorization VLAN, the user might need to change the IP address of the authentication client. To ensure that the redirection URL can be successfully opened, set the redirection wait time to be greater than the time that the user takes to update the IP address of the client.
Examples
# Set the redirection wait time for authenticated users to 10 seconds.
<Sysname> system-view
[Sysname] web-auth server wbls
[Sysname-web-auth-server-wbls] redirect-wait-time 10
url
Use url to specify the redirection URL for a Web server for Web authentication.
Use undo url to restore the default.
Syntax
url url-string [ track track-entry-number ]
undo url
Default
No redirection URL is specified for a Web server for Web authentication.
Views
Web authentication server view
Predefined user roles
network-admin
Parameters
url-string: Specifies the redirection URL of the Web server, a case-sensitive string of 1 to 256 characters. The URL string must start with http:// or https:// and can include question marks (?). If you enter a question mark (?) in the place of this argument, the CLI does not display help information for this argument. The IP address and port number in the URL must be the same as those of the local Web server for Web authentication.
track track-entry-number: Associates a track entry with the Web server to detect the server state changes. The track-entry-number argument specifies the ID of the associated track entry, in the range of 1 to 1024. This option is configurable only in remote Web server view.
Usage guidelines
By default, the state of the Web server specified by the redirection URL is always active. The device cannot obtain the real server state. When primary and secondary Web servers are deployed for continuous authentication service, the device needs to quickly obtain the primary server's state changes to perform primary/secondary switchovers accordingly.
You can associate the Web server with a track entry that is associated with NQA, so the device can periodically detect the reachability of the server through NQA.
· The Track module changes the state of the track entry according to the NQA detection result. The device changes the state of the Web server according to the state of the track entry.
· In this way, if NQA detects that the Web server becomes reachable, the device will set the server state to active. If NQA detects that the Web server becomes unreachable, the device will set the server state to inactive.
The NQA detection for server reachability is performed according to the nqa schedule configuration, which schedules the NQA operation associated with the track entry. Configure the NQA operation time and other detection parameters as needed.
For more information about the NQA configuration, see Network Management and Monitoring Configuration Guide. For more information about the Track configuration, see High Availability Configuration Guide.
To provide Web authentication pages for both IPv4 and IPv6 Web authentication users, configure the redirection URL to carry the domain name of the Web server. Example: http://abc.com, where abc.com is the domain name of the Web server.
A Web server can be associated with only one track entry. If you associate Track with the Web server multiple times, the most recent configuration takes effect.
Examples
# Specify http://192.168.1.1:80/portal/ as the redirection URL of local Web server wbs for Web authentication.
<Sysname> system-view
[Sysname] web-auth server wbls
[Sysname-web-auth-server-wbls] url http://192.168.1.1:80/portal/
# Specify http://192.168.1.1:80/portal/ as the redirection URL of remote Web server wbs for Web authentication, and associate the Web server with track entry 1.
[Sysname] web-auth remote server wbrs
[Sysname-web-auth-remote-server-wbrs] url http://192.168.1.1:80/portal/ track 1
Related commands
ip
nqa schedule (Network Management and Monitoring Command Reference)
tcp-port
track nqa (High Availability Command Reference)
web-auth enable
url-parameter
Use url-parameter to add parameters to the redirection URL of Web authentication.
Use undo url-parameter to delete parameters from the redirection URL of Web authentication.
Syntax
url-parameter parameter-name { original-url | source-address | source-mac | value expression }
undo url-parameter parameter-name
Default
No URL parameters are added to the redirection URL of Web authentication.
Views
Web authentication local server view
Web authentication remote server view
Predefined user roles
network-admin
Parameters
parameter-name: Specifies a URL parameter name, a case-sensitive string of 1 to 32 characters. Content of the parameter is determined by the following keyword you specify.
original-url: Specifies the URL of the original webpage that a portal user visits.
source-address: Specifies the user IP address.
source-mac: Specifies the user MAC address.
value expression: Specifies a custom case-sensitive string of 1 to 256 characters. The string can include question marks (?). If you enter a question mark (?) in the place of the expression argument, the CLI does not display help information for this argument.
Usage guidelines
You can repeat this command to add multiple URL parameters to the redirection URL of Web authentication. For example, to add the user IP address and a custom string of http://www.abc.com/welcome to the redirection URL, execute the following commands:
· url-parameter userip source-address.
· url-parameter userurl value http://www.abc.com/welcome.
The device will redirect Web requests from IP address 1.1.1.1 to the URL at http://192.168.1.1/portal?userip=1.1.1.1&userurl=http://www.abc.com/welcome.
If you execute this command multiple times to configure the same URL parameter, the most recent configuration takes effect.
When you configure the parameter-name argument in this command, you must use the URL parameter name supported by the Web browser. Different Web browsers support different URL parameter names.
Examples
# Add parameters userip and userurl to the redirection URL of local Web server wbs.
<Sysname> system-view
[Sysname] web-auth server wbls
[Sysname-web-auth-server-wbls] url-parameter userip source-address
[Sysname-web-auth-server-wbls] url-parameter userurl value http://www.abc.com/welcome
Related commands
web-auth server
web-auth auth-fail vlan
Use web-auth auth-fail vlan to specify an Auth-Fail VLAN for Web authentication.
Use undo web-auth auth-fail vlan to restore the default.
Syntax
web-auth auth-fail vlan authfail-vlan-id
undo web-auth auth-fail vlan
Default
No Auth-Fail VLAN is specified for Web authentication.
Views
Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
authfail-vlan-id: Specifies the Auth-Fail VLAN ID in a range of 1 to 4094. The specified VLAN must already exist.
User guidelines
After you configure this command on an interface, users who failed Web authentication on the interface can access resources in the Auth-Fail VLAN. You must also configure the IP address of the server that provides the resources as an authentication-free IP address.
To make the Auth-Fail VLAN take effect, you must also enable MAC-based VLAN on the interface, and set the subnet of the Auth-Fail VLAN as the Web authentication-free subnet.
Because MAC-based VLAN takes effect only on Hybrid ports, Auth-Fail VLAN also takes effect only on Hybrid ports.
If a user fails Web authentication, the device maps the MAC address of the user to the Auth-Fail VLAN.
You cannot delete the VLAN that has been configured as an Auth-Fail VLAN. To delete this VLAN, first cancel the Auth-Fail VLAN configuration by using undo web-auth auth-fail vlan command.
Examples
# Specify VLAN 5 as Web authentication Auth-Fail VLAN on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] port link-type hybrid
[Sysname–GigabitEthernet1/0/1] mac-vlan enable
[Sysname–GigabitEthernet1/0/1] web-auth auth-fail vlan 5
Related commands
display web-auth
web-auth domain
Use web-auth domain to specify an authentication domain for Web authentication users on an interface.
Use undo web-auth domain to restore the default.
Syntax
web-auth domain domain-name
undo web-auth domain
Default
No authentication domain is specified for Web authentication users on an interface.
Views
Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
domain-name: Specifies an ISP authentication domain name, a case-insensitive string of 1 to 255 characters.
User guidelines
After you configure this command, the device uses the authentication domain for authentication, authorization and accounting (AAA) of the Web authentication users on the interface.
Examples
# Specify domain my-domain as the authentication domain of Web authentication users on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] web-auth domain my-domain
web-auth enable
Use web-auth enable to enable Web authentication.
Use undo web-auth enable to disable Web authentication.
Syntax
web-auth enable apply server primary-server-name [ secondary-server secondary-server-name ]
undo web-auth enable
Default
Web authentication is disabled.
Views
Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
primary-server-name: Specifies the name of the primary Web server for Web authentication, a case-sensitive string of 1 to 32 characters.
secondary-server secondary-server-name: Specifies the name of the secondary Web server for Web authentication, a case-sensitive string of 1 to 32 characters.
User guidelines
Use this command to enable Web authentication on an interface and specify a primary or a secondary Web server.
For Web authentication to operate correctly, do not enable port security or configure the port security mode on the Layer 2 interface enabled with Web authentication.
To deploy both primary and secondary Web servers, follow these restrictions and guidelines:
· Only a remote Web server can be used as the primary Web server. A remote or local Web server can be used as the secondary Web server.
· Associate the primary Web server with a track entry (by using the url url-string track track-entry-number command) to monitor the reachability status of the server. Otherwise, the device cannot sense the reachability state changes of the primary server to perform primary/secondary switchovers.
Examples
# Enable Web authentication and specify primary Web server wbs1 and secondary Web server wbs2 on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] web-auth enable apply server wbs1 secondary-server wbs2
Related commands
display web-auth
url
web-auth server
web-auth free-ip
Use web-auth free-ip to specify a Web authentication-free subnet.
Use undo web-auth free-ip to restore the default.
Syntax
web-auth free-ip ip-address { mask-length | mask }
undo web-auth free-ip { ip-address { mask-length | mask } | all }
Default
No Web-authentication-free subnets exist.
Views
System view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the Web authentication-free subnet address.
mask-length: Specifies the mask length of the Web authentication-free subnet address, in the range of 1 to 32.
mask: Specifies a mask for the Web authentication-free subnet in dotted decimal notation.
all: Specifies all Web authentication-free subnets.
User guidelines
Web authentication users can access resources in Web authentication-free subnets without being authenticated.
You can repeat this command to configure multiple Web authentication-free subnets.
Examples
# Configure subnet 192.168.0.0/24 as a Web authentication-free subnet.
<Sysname> system-view
[Sysname] web-auth free-ip 192.168.0.0 24
web-auth host-mode multi-vlan
Use web-auth host-mode multi-vlan to enable multi-VLAN mode for Web authentication users on a port.
Use undo web-auth host-mode multi-vlan to restore the default.
Syntax
web-auth host-mode multi-vlan
undo web-auth host-mode multi-vlan
Default
Web authentication operates in single-VLAN mode on a port.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
In multi-VLAN mode, the port forwards traffic from a user in different VLANs without reauthentication if the user has been authenticated and come online in any VLAN on the port.
In single-VLAN mode, the port reauthenticates an online user when traffic received from that user contains a VLAN tag different from the VLAN in which the user was authenticated. The authentication process differs depending on the MAC move setting in port security and the authorization VLAN assignment status, as follows:
· If no authorization VLAN has been assigned to the online user, the device first logs off the user and then reauthenticates the user in the new VLAN.
· If the online user has been assigned an authorization VLAN, the device handles the user depending on the MAC move setting in port security.
¡ If MAC move is disabled in port security, the user cannot pass authentication and come online from the new VLAN until after it goes offline from the port.
¡ If MAC move is enabled in port security, the user can pass authentication on the new VLAN and come online without having to first go offline from the port. After the user passes authentication on the new VLAN, the original authentication session of the user is deleted from the port.
To enable the port security MAC move feature, use the port-security mac-move permit command.
Examples
# Enable Web authentication multi-VLAN mode on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] web-auth host-mode multi-vlan
Related commands
display web-auth
port-security mac-move permit
web-auth max-user
Use web-auth max-user to set the maximum number of Web authentication users allowed on an interface.
Use undo web-auth max-user to restore the default.
Syntax
web-auth max-user max-number
undo web-auth max-user
Default
The maximum number of Web authentication users allowed on an interface is 1024.
Views
Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of Web authentication users allowed on an interface. The value range for this argument is 1 to 2048.
User guidelines
If the specified maximum number is smaller than the number of current online Web authentication users on the interface, the limit can be set successfully. The limit does not impact the online Web authentication users. However, the device does not allow new Web authentication users to log in from the interface until the number drops down below the limit.
This command specifies the maximum number of only IPv4 Web authentication users.
Examples
# On GigabitEthernet 1/0/1, set the maximum number of Web authentication users to 32.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] web-auth max-user 32
Related commands
display web-auth
web-auth offline-detect
Use web-auth offline-detect to enable online detection of Web authentication users.
Use undo web-auth offline-detect to disable online detection of Web authentication users.
Syntax
web-auth offline-detect interval interval
undo web-auth offline-detect interval
Default
Online detection of Web authentication users is disabled.
Views
Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
interval: Specifies the Web authentication user detection interval, in the range of 60 to 65535 seconds.
User guidelines
This feature enables the device to detect packets of an online user at the specified detection interval. If no packet from the user is received within the interval, the device logs out the user and notifies the RADIUS server to stop accounting for the user.
To prevent the device from mistakenly logging out users, set the detection interval to be the same as the aging time of MAC address entries.
This feature does not take effect if Web authentication on the port operates in multi-VLAN mode.
Examples
# On GigabitEthernet 1/0/1, enable online detection of Web authentication users and set the detection interval to 3600 seconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] web-auth offline-detect interval 3600
web-auth proxy port
Use web-auth proxy port to add the port number of a Web proxy server.
Use undo web-auth proxy port to delete one or all Web proxy server port numbers.
Syntax
web-auth proxy [ https ] port port-number
undo web-auth proxy { all-port | [ https ] port port-number }
Default
No Web proxy server port numbers are configured on the device.
Views
System view
Predefined user roles
network-admin
Parameters
all-port: Specifies all TCP port numbers of Web proxy servers.
https: Specifies the HTTPS service. If you do not specify this keyword, this command applies to the HTTP service.
port number: Specifies the TCP port number of a Web proxy server. The value range for this argument is 1 to 65535. Do not specify TCP port number 80 or 443 because 80 and 443 are port numbers reserved for Web authentication.
User guidelines
By default, HTTP or HTTPS requests proxied by Web proxy servers cannot trigger Web authentication but are silently dropped. To allow such HTTP or HTTPS requests to trigger Web authentication, specify the port numbers of the Web proxy servers on the device.
Do not specify the same Web proxy server port number for HTTP and HTTPS.
If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover Web proxy servers, follow these restrictions and guidelines:
· Specify the port numbers of the Web proxy servers on the device.
· Configure a Web authentication-free rule on the device to allow user packets destined for the IP address of the WPAD server to pass without authentication.
· Users must add the IP address of the Web server for Web authentication as a proxy exception in their browsers. Then, HTTP or HTTPS packets that the users send to the Web server for Web authentication will not be sent to Web proxy servers.
You can repeat this command to add the port numbers of multiple Web proxy servers for Web authentication.
Examples
# Specify TCP port number 7777 as a Web proxy server port that allows HTTP requests to trigger Web authentication.
<Sysname> system-view
[Sysname] web-auth proxy port 7777
Related commands
display web-auth
web-auth server
Use web-auth server to create a local or remote Web server for Web authentication and enter its view, or enter the view of an existing Web server.
Use undo web-auth server to delete a local or remote Web server for Web authentication.
Syntax
web-auth [ remote ] server server-name
undo web-auth [ remote ] server server-name
Default
No Web servers for Web authentication exist.
Views
System view
Predefined user roles
network-admin
Parameters
remote: Specifies the remote Web server. If you do not specify this keyword, this command configures a local Web server.
server server-name: Specifies a Web authentication server name, a case-sensitive string of 1 to 32 characters.
User guidelines
In local or remote Web server view, you can configure the following parameters and features for the Web server:
· IP address of the server.
· Redirection URL.
· Parameters to be carried in the redirection URL.
The local and remote Web servers cannot use the same name.
Examples
# Create a local Web server named wbls for Web authentication and enter Web authentication local Web server view.
<Sysname> system-view
[Sysname] web-auth server wbls
New Web server was added for local Web authentication.
[Sysname-web-auth-server-wbls]
# Create a local Web server named wbrs for Web authentication and enter Web authentication remote Web server view.
<Sysname> system-view
[Sysname] web-auth remote server wbrs
New Web server was added for remote Web authentication.
[Sysname-web-auth-remote-server-wbrs]
Related commands
web-auth enable
