08-Portal Commands
Chapters Download (134.58 KB)
1 Portal Configuration Commands
display portal connection statistics
display portal server statistics
display portal tcp-cheat statistics·
reset portal connection statistics
Syntax
display portal acl { all | dynamic | static } interface interface-type interface-number
View
Any view
Default Level
1: Monitor level
Parameters
all: Displays all portal access control lists (ACLs), including dynamic ones and static ones.
dynamic: Displays dynamic portal ACLs, namely, ACLs generated dynamically after a user passes portal authentication.
static: Displays static portal ACLs, namely, ACLs configured by commands.
interface interface-type interface-number: Displays the ACLs on the specified interface.
Description
Use the display portal acl command to display the ACLs on a specified interface.
Examples
# Display all ACLs on VLAN-interface1.
<Sysname> display portal acl all interface vlan-interface 1
Vlan-interface1 portal ACL rule:
Rule 0
Inbound interface : GigabitEthernet1/0/1
Type : static
Action : permit
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
MAC : 0000-0000-0000
Interface : any
VLAN : 1
Protocol : 0
Destination:
IP : 82.0.0.3
Mask : 255.255.255.255
Rule 1
Inbound interface : GigabitEthernet1/0/2
Type : static
Action : permit
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
MAC : 0000-0000-0000
Interface : any
VLAN : 1
Protocol : 0
Destination:
IP : 82.0.0.3
Mask : 255.255.255.255
Table 1-1 display portal acl command output description
|
Field |
Description |
|
Rule |
Sequence number of the portal ACL, which is numbered from 0 in ascending order |
|
Inbound interface |
Interface to which the portal ACL is bound |
|
Type |
Type of the portal ACL |
|
Action |
Match action in the portal ACL |
|
Source |
Source information in the portal ACL |
|
IP |
Source IP address in the portal ACL |
|
Mask |
Subnet mask of the source IP address in the portal ACL |
|
MAC |
Source MAC address in the portal ACL |
|
Interface |
Source interface in the portal ACL |
|
VLAN |
Source VLAN in the portal ACL |
|
Protocol |
Protocol type in the portal ACL |
|
Destination |
Destination information in the portal ACL |
|
IP |
Destination IP address in the portal ACL |
|
Mask |
Subnet mask of the destination IP address in the portal ACL |
|
Author ACL |
Authorization ACL information. It is displayed only when the Type field has a value of dynamic. |
|
Number |
Authorization ACL number assigned by the RADIUS server. None indicates that the server did not assign any ACL. |
Syntax
display portal connection statistics { all | interface interface-type interface-number }
View
Any view
Default Level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
Description
Use the display portal connection statistics command to display portal connection statistics on a specified interface or all interfaces.
Examples
# Display portal connection statistics on VLAN-interface1.
<Sysname> display portal connection statistics interface vlan-interface 1
---------------Interface: Vlan-interface 1-----------------------
User state statistics:
State-Name User-Num
VOID 0
DISCOVERED 0
WAIT_AUTHEN_ACK 0
WAIT_AUTHOR_ACK 0
WAIT_LOGIN_ACK 0
WAIT_ACL_ACK 0
WAIT_NEW_IP 0
WAIT_USERIPCHANGE_ACK 0
ONLINE 1
WAIT_LOGOUT_ACK 0
WAIT_LEAVING_ACK 0
Message statistics:
Msg-Name Total Err Discard
MSG_AUTHEN_ACK 3 0 0
MSG_AUTHOR_ACK 3 0 0
MSG_LOGIN_ACK 3 0 0
MSG_LOGOUT_ACK 2 0 0
MSG_LEAVING_ACK 0 0 0
MSG_CUT_REQ 0 0 0
MSG_AUTH_REQ 3 0 0
MSG_LOGIN_REQ 3 0 0
MSG_LOGOUT_REQ 2 0 0
MSG_LEAVING_REQ 0 0 0
MSG_ARPPKT 0 0 0
MSG_PORT_REMOVE 0 0 0
MSG_VLAN_REMOVE 0 0 0
MSG_IF_REMOVE 6 0 0
MSG_IF_SHUT 0 0 0
MSG_IF_DISPORTAL 0 0 0
MSG_IF_UP 1 0 0
MSG_ACL_RESULT 0 0 0
MSG_CUT_L3IF 0 0 0
MSG_IP_REMOVE 0 0 0
MSG_ALL_REMOVE 1 0 0
MSG_IFIPADDR_CHANGE 0 0 0
MSG_SOCKET_CHANGE 8 0 0.
MSG_NOTIFY 0 0 0
MSG_SETPOLICY 0 0 0
MSG_SETPOLICY_RESULT 0 0 0
Table 1-2 display portal connection statistics command output description
|
Field |
Description |
|
User state statistics |
Statistics on portal users |
|
State-Name |
Name of a user state |
|
User-Num |
Number of users in a specific state |
|
Message statistics |
Statistics on messages |
|
Msg-Name |
Message type |
|
Total |
Total number of messages of a specific type |
|
Err |
Number of erroneous messages of a specific type |
|
Discard |
Number of discarded messages of a specific type |
|
MSG_AUTHEN_ACK |
Authentication acknowledgment message |
|
MSG_AUTHOR_ACK |
Authorization acknowledgment message |
|
MSG_LOGIN_ACK |
Accounting acknowledgment message |
|
MSG_LOGOUT_ACK |
Accounting-stop acknowledgment message |
|
MSG_LEAVING_ACK |
Leaving acknowledgment message |
|
MSG_CUT_REQ |
Cut request message |
|
MSG_AUTH_REQ |
Authentication request message |
|
MSG_LOGIN_REQ |
Accounting request message |
|
MSG_LOGOUT_REQ |
Accounting-stop request message |
|
MSG_LEAVING_REQ |
Leaving request message |
|
MSG_ARPPKT |
ARP message |
|
MSG_PORT_REMOVE |
Users-of-a-Layer-2-port-removed message |
|
MSG_VLAN_REMOVE |
VLAN user removed message |
|
MSG_IF_REMOVE |
Users-removed message, indicating the users on a Layer 3 interface were removed because the Layer 3 interface was removed. |
|
MSG_IF_SHUT |
Layer 3 interface shutdown message |
|
MSG_IF_DISPORTAL |
Portal-disabled-on-interface message |
|
MSG_IF_UP |
Layer 3 interface came up message |
|
MSG_ACL_RESULT |
ACL deployment failure message |
|
MSG_CUT_L3IF |
Users-removed message, indicating the users on a Layer 3 interface were removed because they were logged out. |
|
MSG_IP_REMOVE |
User-with-an-IP-removed message |
|
MSG_ALL_REMOVE |
All-users-removed message |
|
MSG_IFIPADDR_CHANGE |
Interface IP address change message |
|
MSG_SOCKET_CHANGE |
Socket change message |
|
MSG_NOTIFY |
Notification message |
|
MSG_SETPOLICY |
Set policy message for assigning security ACL |
|
MSG_SETPOLICY_RESULT |
Set policy response message |
Syntax
display portal free-rule [ rule-number ]
View
Any view
Default Level
1: Monitor level
Parameters
rule-number: Number of a portal-free rule. The value ranges from 0 to 63.
Description
Use the display portal free-rule command to display information about a specified portal-free rule or all portal-free rules.
Related commands: portal free-rule.
Examples
# Display information about portal-free rule 1.
<Sysname> display portal free-rule 1
Rule-Number 1:
Source:
IP : 2.2.2.0
Mask : 255.255.255.0
MAC : 0000-0000-0000
Interface : any
Vlan : 0
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Table 1-3 display portal free-rule command output description
|
Field |
Description |
|
Rule-Number |
Number of the portal-free rule |
|
Source |
Source information in the portal-free rule |
|
IP |
Source IP address in the portal-free rule |
|
Mask |
Subnet mask of the source IP address in the portal-free rule |
|
MAC |
Source MAC address in the portal-free rule |
|
Interface |
Source interface in the portal-free rule |
|
Vlan |
Source VLAN in the portal-free rule |
|
Destination |
Destination information in the portal-free rule |
|
IP |
Destination IP address in the portal-free rule |
|
Mask |
Subnet mask of the destination IP address in the portal-free rule |
Syntax
display portal interface interface-type interface-number
View
Any view
Default Level
1: Monitor level
Parameters
interface-type interface-number: Specifies an interface by its type and number.
Description
Use the display portal interface command to display the portal configuration of an interface.
Examples
# Display the portal configuration of VLAN-interface1.
<Sysname> display portal interface vlan-interface 1
Interface portal configuration:
Vlan-interface 1: Portal running
Portal server: servername
Portal backup-group: None
Authentication type: Direct
Authentication domain: my-domain
Authentication network:
address : 0.0.0.0 mask : 0.0.0.0
Table 1-4 display portal interface command output description
|
Field |
Description |
|
Interface portal configuration |
Portal configuration on the interface |
|
Vlan-interface 1 |
Status of the portal feature on the interface, disabled, enabled, or running. |
|
Portal server |
Portal server referenced by the interface |
|
Portal backup-group |
Number of the portal group to which the interface belongs. If the interface does not belong to any portal group, None will be displayed. |
|
Authentication type |
Authentication mode enabled on the interface |
|
Authentication domain |
Mandatory authentication domain of the interface |
|
Authentication network |
Information of the portal authentication subnet |
|
address |
IP address of the portal authentication subnet |
|
mask |
Subnet mask of the IP address of the portal authentication subnet |
Syntax
display portal server [ server-name ]
View
Any view
Default Level
1: Monitor level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters.
Description
Use the display portal server command to display information about a specified portal server or all portal servers.
Related commands: portal server.
Examples
# Display information about portal server aaa.
<Sysname> display portal server aaa
Portal server:
1)aaa:
IP : 192.168.0.111
Key : portal
Port : 50100
URL : http://192.168.0.111
Status :Up
Table 1-5 display portal server command output description
|
Field |
Description |
|
1) |
Number of the portal server |
|
aaa |
Name of the portal server |
|
IP |
IP address of the portal server |
|
Key |
Key used by the access device and portal server for identify authentication Not configured will be displayed if no key is configured. |
|
Port |
Listening port on the portal server |
|
URL |
Address the packets are to be redirected to Not configured will be displayed if no address is configured. |
|
Status |
Current status of the portal server, which can be: l N/A: The portal server is not referenced on any interface or the portal server detection function is not enabled. The reachability of the portal server is unknown. l Up: The portal server is referenced on an interface and the portal server detection function is enabled, and currently the portal server is reachable. l Down: The portal server is referenced on an interface and the portal server detection function is enabled, but currently the portal server is unreachable. |
Syntax
display portal server statistics { all | interface interface-type interface-number }
View
Any view
Default Level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and name.
Description
Use the display portal server statistics command to display portal server statistics on a specified interface or all interfaces.
Note that with the all keyword specified, the command displays portal server statistics by interface and therefore statistics about a portal server referenced by more than one interface may be displayed repeatedly.
Examples
# Display portal server statistics on VLAN-interface 1.
<Sysname> display portal server statistics interface vlan-interface 1
---------------Interface: Vlan-interface 1----------------------
Server name: st
Invalid packets: 0
Pkt-Name Total Discard Checkerr
REQ_CHALLENGE 3 0 0
ACK_CHALLENGE 3 0 0
REQ_AUTH 3 0 0
ACK_AUTH 3 0 0
REQ_LOGOUT 1 0 0
ACK_LOGOUT 1 0 0
AFF_ACK_AUTH 3 0 0
NTF_LOGOUT 1 0 0
REQ_INFO 6 0 0
ACK_INFO 6 0 0
NTF_USERDISCOVER 0 0 0
NTF_USERIPCHANGE 0 0 0
AFF_NTF_USERIPCHANGE 0 0 0
ACK_NTF_LOGOUT 1 0 0
NTF_USERSYNC 2 0 0
ACK_NTF_USERSYNC 0 0 0
Table 1-6 display portal server statistics command output description
|
Field |
Description |
|
Interface |
Interface referencing the portal server |
|
Server name |
Name of the portal server |
|
Invalid packets |
Number of invalid packets |
|
Pkt-Name |
Packet type |
|
Total |
Total number of packets |
|
Discard |
Number of discarded packets |
|
Checkerr |
Number of erroneous packets |
|
REQ_CHALLENGE |
Challenge request message the portal server sends to the access device |
|
ACK_CHALLENGE |
Challenge acknowledgment message the access device sends to the portal server |
|
REQ_AUTH |
Authentication request message the portal server sends to the access device |
|
ACK_AUTH |
Authentication acknowledgment message the access device sends to the portal server |
|
REQ_LOGOUT |
Logout request message the portal server sends to the access device |
|
ACK_LOGOUT |
Logout acknowledgment message the access device sends to the portal server |
|
AFF_ACK_AUTH |
Affirmation message the portal server sends to the access device after receiving an authentication acknowledgement message |
|
NTF_LOGOUT |
Forced logout notification message the access device sends to the portal server |
|
REQ_INFO |
Information request message |
|
ACK_INFO |
Information acknowledgment message |
|
NTF_USERDISCOVER |
User discovery notification message the portal server sends to the access device |
|
NTF_USERIPCHANGE |
User IP change notification message the access device sends to the portal server |
|
AFF_NTF_USERIPCHANGE |
User IP change success notification message the portal server sends to the access device |
|
ACK_NTF_LOGOUT |
Forced logout acknowledgment message from the portal server |
|
NTF_USERSYNC |
User synchronization packet the portal server sends to the access device |
|
ACK_NTF_USERSYNC |
User synchronization packet acknowledged by the access device |
Syntax
display portal tcp-cheat statistics
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display portal tcp-cheat statistics command to display TCP spoofing statistics.
Examples
# Display TCP spoofing statistics.
<Sysname> display portal tcp-cheat statistics
TCP Cheat Statistic:
Total Opens: 0
Resets Connections: 0
Current Opens: 0
Packets Received: 0
Packets Sent: 0
Packets Retransmitted: 0
Packets Dropped: 0
HTTP Packets Sent: 0
Connection State:
SYN_RECVD: 0
ESTABLISHED: 0
CLOSE_WAIT: 0
LAST_ACK: 0
FIN_WAIT_1: 0
FIN_WAIT_2: 0
CLOSING: 0
Table 1-7 display portal tcp-cheat statistics command output description
|
Field |
Description |
|
TCP Cheat Statistic |
TCP spoofing statistics |
|
Total Opens |
Total number of opened connections |
|
Resets Connections |
Number of connections reset through RST packets |
|
Current Opens |
Number of connections currently being setting up |
|
Packets Received |
Number of received packets |
|
Packets Sent |
Number of sent packets |
|
Packets Retransmitted |
Number of retransmitted packets |
|
Packets Dropped |
Number of dropped packets |
|
HTTP Packets Sent |
Number of HTTP packets sent |
|
Connection State |
Statistics of connections in various states |
|
ESTABLISHED |
Number of connections in ESTABLISHED state |
|
CLOSE_WAIT |
Number of connections in CLOSE_WAIT state |
|
LAST_ACK |
Number of connections in LAST-ACK state |
|
FIN_WAIT_1 |
Number of connections in FIN_WAIT_1 state |
|
FIN_WAIT_2 |
Number of connections in FIN_WAIT_2 state |
|
CLOSING |
Number of connections in CLOSING state |
Syntax
display portal user { all | interface interface-type interface-number }
View
Any view
Default Level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and name.
Description
Use the display portal user command to display information about portal users on a specified interface or all interfaces.
Examples
# Display information about portal users on all interfaces.
<Sysname> display portal user all
Index:15
State:ONLINE
SubState:NONE
ACL:3200
Work-mode:stand-alone
MAC IP Vlan Interface
---------------------------------------------------------------------
000f-1f86-3232 122.2.0.1 1 Vlan-interface1
Total 1 user(s) matched, 1 listed.
Table 1-8 display portal user command output description
|
Field |
Description |
|
Index |
Index of the portal user |
|
State |
Current status of the portal user |
|
SubState |
Current sub-status of the portal user |
|
ACL |
Authorization ACL of the portal user |
|
Work-mode |
User mode of the portal user |
|
MAC |
MAC address of the portal user |
|
IP |
IP address of the portal user |
|
Vlan |
VLAN to which the portal user belongs |
|
Interface |
Interface to which the portal user is attached |
|
Total 1 user(s) matched, 1 listed |
Total number of portal users |
Syntax
portal auth-network network-address { mask-length | mask }
undo portal auth-network { network-address | all }
View
Interface view
Default Level
2: System level
Parameters
network-address: IP address of the authentication subnet.
mask-length: Length of the subnet mask, in the range of 0 to 32.
mask: Subnet mask, in dotted decimal notation.
all: Specifies all authentication subnets.
Description
Use the portal auth-network command to configure a portal authentication subnet.
Use the undo portal auth-network command to remove a specified portal authentication subnet or all portal authentication subnets.
By default, the portal authentication subnet is 0.0.0.0/0, meaning that users in all subnets are to be authenticated.
Note that this command is only applicable for Layer 3 authentication. The portal authentication subnet for direct authentication is any source IP address, and the portal authentication subnet for re-DHCP authentication is the one determined by the private IP address of the interface connecting the users.
Examples
# Configure a portal authentication subnet of 10.10.10.0/24.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname–Vlan-interface2] portal auth-network 10.10.10.0 24
Syntax
portal delete-user { ip-address | all | interface interface-type interface-number }
View
System view
Default Level
2: System level
Parameters
ip-address: Logs out the user with the specified IP address.
all: Logs out all users.
interface interface-type interface-number: Logs out all users on the specified interface.
Description
Use the portal delete-user command to log out users.
Related commands: display portal user.
Examples
# Log out user whose IP address is 1.1.1.1.
<Sysname> system-view
[Sysname] portal delete-user 1.1.1.1
Syntax
portal domain domain-name
undo portal domain
View
Interface view
Default Level
2: System level
Parameters
domain-name: ISP domain name, a case-insensitive string of 1 to 24 characters. The domain specified by this argument must already exist.
Description
Use the portal domain command to specify a mandatory authentication domain for an interface. After you specify a mandatory authentication domain for an interface, the device will use the mandatory authentication domain for authentication, authorization and accounting (AAA) of the portal users on the interface.
Use the undo portal domain command to restore the default.
By default, no mandatory authentication domain is specified for an interface.
Related commands: display portal interface.
Examples
# On VLAN-interface 100, configure the mandatory authentication domain as my-domain.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal domain my-domain
Syntax
portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | netmask } | any } } | source { any | [ interface interface-type interface-number | ip { ip-address mask { mask-length | netmask } | any } | mac mac-address | vlan vlan-id ] * } } *
undo portal free-rule { rule-number | all }
View
System view
Default Level
2: System level
Parameters
rule-number: Number for the portal-free rule. The value ranges from 0 to 63.
any: Imposes no limitation on the previous keyword.
ip ip-address: Specifies an IP address.
mask { mask-length | netmask }: Specifies the mask of the IP address, which can be in dotted decimal notation or an integer in the range 0 to 32.
interface interface-type interface-number: Specifies a source interface.
mac mac-address: Specifies a source MAC address in the format of H-H-H.
vlan vlan-id: Specifies a source VLAN ID.
all: Specifies all portal-free rules.
Description
Use the portal free-rule command to configure a portal-free rule and specify the source filtering condition and/or destination filtering condition.
Use the undo portal free-rule command to remove a specified portal-free rule or all portal-free rules.
Note that:
l If you specify both the source IP address and source MAC address, the IP address must be a host address with a 32-bit mask. Otherwise, the specified MAC address does not take effect.
l If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. Otherwise, the command does not take effect after being executed.
l You cannot configure a portal-free rule to have the same filtering criteria as that of an existing one. Otherwise, the system prompts that the rule already exists.
l No matter whether portal authentication is enabled on an interface, you can only add or remove a portal-free rule, rather than modifying it.
Related commands: display portal free-rule.
Examples
# Configure a portal-free rule, allowing any packet whose source IP address is 10.10.10.1/24 and source port is GigabitEthernet 1/0/1 to bypass portal authentication.
<Sysname> system-view
[Sysname] portal free-rule 15 source ip 10.10.10.1 mask 24 interface gigabitethernet 1/0/1 destination ip any
Syntax
portal max-user max-number
undo portal max-user
View
System view
Default Level
2: System level
Parameters
max-number: Maximum number of online portal users allowed in the system, in the range 1 to 6000.
Description
Use the portal max-user command to set the maximum number of online portal users allowed in the system.
Use the undo portal max-user command to restore the default.
By default, the maximum number of portal users allowed is 6000.
Note that if the maximum number of portal users specified in the command is less than that of the current online portal users, the command can be executed successfully and will not impact the online portal users, but the system will not allow new portal users to log in until the number drops down below the limit.
Examples
# Set the maximum number of portal users allowed in the system to 100.
<Sysname> system-view
[Sysname] portal max-user 100
Syntax
portal nas-id-profile profile-name
undo portal nas-id-profile
View
Interface
Default Level
2: System level
Parameters
profile-name: Name of the profile that defines the binding relationship between VLANs and NAS IDs. The profile can be configured by using the aaa nas-id profile command. For details, see AAA Commands in the Command Reference - Part 8 - Security.
Description
Use the portal nas-id-profile command to specify a NAS ID profile for the interface.
Use the undo portal nas-id-profile command to cancel the configuration.
By default, an interface is not specified with any NAS ID profile.
Note that if an interface is specified with a NAS ID profile, the interface will prefer to use the binding defined in the profile. If no NAS ID profile is specified for an interface or no matching binding is found in the specified profile:
l If a NAS ID is configured using the portal nas-id command, the interface will use the configured NAS ID as that of the interface.
l If the interface does not support NAS ID configuration or has no NAS ID configured, it will use the device name as the interface NAS ID.
Examples
# Specify NAS ID profile aaa for VLAN-interface 2.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] portal nas-id-profile aaa
Syntax
portal nas-ip ip-address
undo portal nas-ip
View
Interface view
Default Level
2: System level
Parameters
ip-address: Source IP address to be specified for portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
Description
Use the portal nas-ip command to configure the source IP address for portal packets to be sent.
Use the undo portal nas-ip command to restore the default.
By default, no source IP address is specified, and the IP address of the user access interface will be used as the source IP address of the portal packets.
Examples
# Configure the source IP address for portal packets to be sent on VLAN-interface 5 as 2.2.2.2.
<Sysname> system-view
[Sysname] interface vlan-interface 5
[Sysname-Vlan-interface5] portal nas-ip 2.2.2.2
Syntax
portal server server-name ip ip-address [ key key-string | port port-id | url url-string ] *
undo portal server server-name [ key | port | url ]
View
System view
Default Level
2: System level
Parameters
server-name: Name of the portal server, a case-sensitive string of 1 to 32 characters.
ip-address: IP address of the portal server. If you configure the local portal server, the IP address specified must be that of a Layer 3 interface on the device and must be reachable to the portal clients.
key-string: Shared key for communication with the portal server, a case-sensitive string of 1 to 16 characters.
port-id: Destination port number used when the device sends a message to the portal server unsolicitedly, in the range 1 to 65534. The default is 50100.
url-string: Uniform resource locator (URL) to which HTTP packets are to be redirected. The default URL is in the http://ip-address format, where ip-address is the IP address of the portal server. You can also specify the domain name of the portal server, in which case you need to use the portal free-rule command to configure the IP address of the DNS server as a portal authentication-free destination IP address.
Description
Use the portal server command to configure a portal server.
Use the undo portal server command to remove a portal server, restore the default destination port number or URL, or delete the shared key.
By default, no portal server is configured.
Note that:
l Using the undo portal server server-name command, you remove the specified portal server if the specified portal server exists and there is no user on the interfaces referencing the portal server.
l The configured portal server and its parameters can be removed or modified only when the portal server is not referenced by an interface. To remove or modify the settings of a portal server that has been referenced by an interface, you must first remove the portal configuration on the interface by using the undo portal command.
l For local portal server configuration, the keywords key, port, and url are not required and, if configured, will not take effect.
Related commands: display portal server.
Examples
# Configure portal server pts, setting the IP address to 192.168.0.111.
<Sysname> system-view
[Sysname] portal server pts ip 192.168.0.111
Syntax
portal server server-name method { direct | layer3 | redhcp }
undo portal
View
Interface view
Default Level
2: System level
Parameters
server-name: Name of the portal server, a case-sensitive string of 1 to 32 characters.
method: Specifies the authentication mode to be used.
direct: Direct authentication.
layer3: Layer 3 authentication.
redhcp: Re-DHCP authentication.
Description
Use the portal server method command to enable Layer 3 portal authentication on an interface, and specify the portal server to be referenced and the authentication mode.
Use the undo portal command to disable portal authentication on an interface.
By default, portal authentication is disabled on an interface.
Note that:
l The portal server to be referenced must exist.
l For the local portal server, the re-DHCP authentication mode can be configured but will not take effect.
Related commands: display portal server.
Examples
# Enable portal authentication on interface VLAN-interface 100, referencing the portal server pts and the authentication mode direct.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal server pts method direct
portal server server-name server-detect method { http | portal-heartbeat } * action { log | permit-all | trap } * [ interval interval ] [ retry retries ]
undo portal server server-name server-detect
View
System view
Default Level
2: System level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.
server-detect method { http | portal-heartbeat }: Specifies the portal server detection method. Two detection methods are available:
l http: Probes HTTP connections. In this method, the access device periodically sends TCP connection requests to the HTTP service port of the portal servers enabled on its interfaces. If the TCP connection with a portal server can be established, the access device considers that the HTTP service of the portal server is open and the portal server is reachable, that is, the detection succeeds. If the TCP connection cannot be established, the access device considers that the detection fails, that is, the portal server is unreachable. If a portal server does not support the portal server heartbeat function, you can configure the device to use the HTTP probe method to detect the reachability of the portal server.
l portal-heartbeat: Probes portal heartbeat packets. Portal servers periodically send portal heartbeat packets to the access devices. If an access device receives a portal heartbeat packet from a portal server within the specified interval, the access device considers that the probe succeeds and the portal server is reachable; otherwise, it considers that the probe fails and the portal server is unreachable. This method is effective to only the portal servers that support the portal heartbeat function. Currently, only the portal server of iMC supports this function. To implement detection with this method, you also need to configure the portal server heartbeat function on the iMC portal server and make sure that the server heartbeat interval configured on the portal server is shorter than or equal to the probe interval configured on the device.
action { log | permit-all | trap }: Specifies the actions to be taken when the status of a portal server changes. Three actions are available:
l log: Specifies the action as sending a log message. When the status (reachable/unreachable) of a portal server changes, the access device sends a log message. The log message contains the portal server name and the current state and original state of the portal server.
l permit-all: Specifies the action as disabling portal authentication, that is, enabling portal escape. When the device detects that a portal server is unreachable, it disables portal authentication on the interface referencing the portal server, that is, it allows all portal users on this interface to access network resources. Then, if the access device receives the portal server heartbeat packets or authentication packets (such as login requests and logout requests), it re-enables the portal authentication function.
l trap: Specifies the action as sending a trap message. When the status (reachable/unreachable) of a portal server changes, the access device sends a trap message to the network management server (NMS). Trap message contains the portal server name and the current state of the portal server.
interval interval: Interval at which probe attempts are made. The interval argument ranges from 20 to 600 and defaults to 20, in seconds.
retry retries: Maximum number of probe attempts. The retries argument ranges from 1 to 5 and defaults to 3. If the number of consecutive, failed probes reaches this value, the access device considers that the portal server is unreachable.
Description
Use the portal server server-detect command to configure portal server detection, including the detection method, action, probe interval, and maximum number of probe attempts. With this function configured, the device will checks the status of the specified server periodically and takes the specified actions when the server status changes.
Use the undo portal server server-detect command to cancel the detection of the specified portal server.
By default, the portal server detection function is not configured.
Note that:
l You can specify one or more detection methods and the actions to be taken.
l If both detection methods are specified, a portal server will be regarded as unreachable as long as one detection method fails, and an unreachable portal server will be regarded as recovered only when both detection methods succeed.
l If multiple actions are specified, the system will execute all the specified actions when the status of a portal server changes.
l Deleting a portal server on the device will delete the detection function for the portal server.
l If you configure the detection function for a portal server for multiple times, the last configuration will take effect. If you do not specify an optional parameter, the default setting of the parameter will be used.
l The portal server detection function takes effect only when the portal server is referenced on an interface.
l Authentication-related packets from a portal server, such as logon requests and logoff requests, have the same effect as the portal heartbeat packets for the portal server detection function.
Related command: display portal server.
Examples
# Configure detection of portal server pts,
l Specifying both the HTTP probe and portal heartbeat probe methods
l Setting the probe interval to 600 seconds
l Specifying the device to send a server unreachable trap message, send a log message and disable portal authentication to permit unauthenticated portal users, if two consecutive probes fail.
<Sysname> system-view
[Sysname] portal server pts server-detect method http portal-heartbeat action log permit-all trap interval 600 retry 2
Syntax
portal server server-name user-sync [ interval interval ] [ retry retries ]
undo portal server server-name user-sync
View
System view
Default Level
2: System level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.
user-sync: Enables the portal user synchronization function.
interval interval: Interval at which the device checks the user synchronization packets. The interval argument ranges from 60 to 3600 and defaults to 300, in seconds.
retry retries: Specifies the maximum number of consecutive failed checks. The retries argument ranges from 1 to 5 and defaults to 4. If the access device finds that one of its users does not exist in the user synchronization packets from the portal server in N consecutive probe intervals (N = retries), it considers that the user does not exist on the portal server and logs the user off.
Description
Use the portal server user-sync command to configure portal user synchronization with a specified portal server. With this function configured, the device periodically checks and responds to the user synchronization packet received from the specified portal server, so as to keep the consistency of the online user information on the device and the portal server.
Use the undo portal server user-sync command to cancel the portal user synchronization configuration with the specified portal server.
By default, the portal user synchronization function is not configured.
Note that:
l The user synchronization function requires that a portal server supports the portal user heartbeat function (currently only the portal server of iMC supports portal user heartbeat). To implement the portal user synchronization function, you also need to configure the user heartbeat function on the portal server and make sure that the user heartbeat interval configured on the portal server is shorter than or equal to the synchronization probe interval configured on the device.
l Deleting a portal server on the device will delete the portal user synchronization configuration with the portal server.
l If you configure the user synchronization function for a portal server for multiple times, the last configuration will take effect. If you do not specify an optional parameter, the default setting of the parameter will be used.
l For redundant user information on the device, that is, information of the users considered as nonexistent on the portal server, the device will delete the information during the (N+1)th probe interval, where N equals to the value of retries configured in the portal server user-sync command.
Examples
# Configure the device to synchronize portal user information with portal server pts, and:
l Setting the synchronization probe interval to 600 seconds
l Specifying the device to log off users if information of the users do not exist in the user synchronization packets sent from the server in two consecutive probe intervals.
<Sysname> system-view
[Sysname] portal server pts user-sync interval 600 retry 2
Syntax
reset portal connection statistics { all | interface interface-type interface-number }
View
User view
Default Level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
Description
Use the reset portal connection statistics command to clear portal connection statistics on a specified interface or all interfaces.
Examples
# Clear portal connection statistics on VLAN-interface1.
<Sysname> reset portal connection statistics interface vlan-interface 1
Syntax
reset portal server statistics { all | interface interface-type interface-number }
View
User view
Default Level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
Description
Use the reset portal server statistics command to clear portal server statistics on a specified interface or all interfaces.
Examples
# Clear portal server statistics on VLAN-interface 1.
<Sysname> reset portal server statistics interface vlan-interface 1
Syntax
reset portal tcp-cheat statistics
View
User view
Default Level
1: Monitor level
Parameters
None
Description
Use the reset portal tcp-cheat statistics command to clear TCP spoofing statistics.
Examples
# Clear TCP spoofing statistics.
<Sysname> reset portal tcp-cheat statistics
