Table of Contents

1 Web Authentication Configuration Commands· 1-1

Web Authentication Configuration Commands· 1-1

display web-authentication configuration· 1-1

display web-authentication connection· 1-2

web-authentication auth-fail vlan· 1-3

web-authentication customize· 1-4

web-authentication cut connection· 1-5

web-authentication enable· 1-6

web-authentication free-ip· 1-6

web-authentication free-user 1-7

web-authentication max-connection· 1-8

web-authentication move-mode· 1-9

web-authentication protocol 1-9

web-authentication select method· 1-10

web-authentication timer idle-cut 1-11

web-authentication timer max-online· 1-12

web-authentication web-proxy port 1-12

web-authentication web-server 1-13

 

Web Authentication Configuration Commands

 

 

display web-authentication configuration

Syntax

display web-authentication configuration

View

Any view

Parameters

None

Description

Use the display web-authentication configuration command to display all Web authentication configurations, including global configurations and configurations on individual ports.

Examples

# Display Web authentication configuration information.

<Sysname> display web-authentication configuration

Status: disabled

 Protocol: HTTP

 Web Server:

 Idle-cut time: 900 sec

 Max-online time: 1800 sec

 Max-connection of device is: 512

 Customized authentication-page information :

     Corp-Name:

     Platform-Name:

     Phone-Num:

     Email-address:

     File:

 Free IP:

 Free User:

 Interface Configuration:

 Interface_number         method        max-connection   

Table 1-1 Description on the fields of display web-authentication configuration

Field	Description
Status	Global status of Web authentication
Protocol	Access protocol for Web authentication, HTTP or HTTPS
Web Server	IP address and port number of the Web authentication server
Idle-cut time	idle user checking interval
Max-online time	Maximum online time specified for Web authentication users
Max-connection of device	Maximum number of Web authentication  users allowed on the device
Customized authentication-page information	Customized information to be displayed on authentication pages, including company name, subject, contact phone number, E-mail address, or the customized Web file
Free IP	Free IP address range information
Free User	Authentication-free user information
Interface Configuration	Configuration information about Web-authentication-enabled ports
Interface_number	Index of a Web-authentication-enabled port
method	User access method on the port, shared, designated, or extended.
max-connection	Maximum number of online users allowed on the port

 

display web-authentication connection

Syntax

display web-authentication connection { all | interface interface-type interface-number | user-name user-name }

View

Any view

Parameters

all: Displays information about all online Web-authentication users.

interface-type interface-number: Type and number of an interface.

user-name: Name of a user, a string of 1 to 184 characters.

Description

Use the display web-authentication connection command to display information about specified or all online Web-authentication users.

Examples

# Display information about all online Web-authentication users.

<Sysname> display web-authentication connection all

Username: 1

MAC: 000d-88f6-44c1   Interface: Ethernet1/0/1

VLAN: 2               Method: Shared

State: ONLINE         Online-Time(s): 8

 

Total 1 connection(s) matched

Table 1-2 Description on the fields of display web-authentication connection

Field	Description
Username	Name of an online Web-authentication user
MAC	MAC address of the user
Interface	Access port of the user
VLAN	VLAN the user belongs to
Method	Access method of the user, shared, designated, or extended.
State	User status
Online-Time(s)	Online time of the user

 

web-authentication auth-fail vlan

Syntax

web-authentication auth-fail vlan authfail-vlan-id

undo web-authentication auth-fail vlan

View

Port view

Parameters

authfail-vlan-id: ID of the VLAN to be specified as the Auth-Fail VLAN of the port, in the range 1 to 4094. The VLAN must have existed.

Description

Use the web-authentication auth-fail vlan command on the port to configure a Web authentication Auth-Fail VLAN, that is, the VLAN allowed to be accessed by users failing Web authentication on the port.

Use the undo web-authentication auth-fail vlan command to restore the default.

By default, no Auth-Fail VLAN is configured on a port.

Note that:

l          Before configuring an Auth-Fail VLAN for Web authentication on a port, you need to use the web-authentication select method extended command to set the Web authentication access method on the port to extended.

l          Failing authentication means being denied by the authentication server due to explicit reasons such as wrong password. Authentication failures caused by authentication timeout or network connection problems do not fall into this category.

l          For MAFV to take effect on a port, you must also enable the MAC VLAN function on the port.

l          You cannot delete a VLAN configured as Auth-Fail VLAN. To delete such a VLAN, remove the Auth-Fail VLAN configuration first by using the undo web-authentication auth-fail vlan command.

Examples

# On port Ethernet 1/0/1, configure VLAN 3 as the Auth-Fail VLAN for Web authentication.

<Sysname> system-view

[Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] web-authentication auth-fail vlan 3

web-authentication customize

Syntax

web-authentication customize { corp-name corporation-text | email email-string | phone-num phonenum-string | platform-name platform-text | file web-file }

undo web-authentication customize { corp-name | email | phone-num | platform-name | file | all }

View

System view

Parameters

corp-name: Specifies the company name to be displayed on Web authentication pages.

corporation-text: Company name, a string of 1 to 64 characters that can contain spaces.

email: Specifies the E-mail address to be displayed on Web authentication pages.

email-string: E-mail address, a string of 1 to 64 characters that can contain spaces. If it contains spaces, it must be enclosed with a pair of double quotation marks.

phone-num: Specifies the phone number to be displayed on Web authentication pages.

phonenum-string: Phone number, a string of 1 to 32 characters that can contain spaces. If it contains spaces, it must be enclosed with a pair of double quotation marks.

platform-name: Specifies the subject to be displayed on Web authentication pages.

platform-text: Subject introduction, a string of 1 to 128 characters that can contain spaces.

file: Specifies the custom web file.

web-file: Specifies the name of a web file with a string of 1 to 142 letters.

all: Restores all customized items to the defaults.

Description

Use the web-authentication customize command to customize the company name, subject, contact phone number, and E-mail address to be displayed on authentication pages or to specify the custom web file. After the configuration, the customized information will be displayed on all Web pages provided during the authentication process.

Use the undo web-authentication customize command to restore the specified or all customized items to the defaults.

By default, no customized information is configured to be displayed on Web authentication pages.

Examples

# Customize information to be displayed on Web authentication pages as follows:

l          Company name: H3C Technologies

l          E-mail: [email protected]

l          Phone number: +86-571-86760000

l          Subject: A leading global supplier of IP-based products and solutions

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] web-authentication customize corp-name H3C Technologies

[Sysname] web-authentication customize email [email protected]

[Sysname] web-authentication customize phone-num +86-571-86760000

[Sysname] web-authentication customize platform-name A leading global supplier of IP-based products and solutions

After the above configuration, the customized information will be displayed on the Web authentication page, as shown in Figure 1-1.

Figure 1-1 Web authentication page with customized information

 

web-authentication cut connection

Syntax

web-authentication cut connection { all | mac mac-address | user-name user-name | interface interface-type interface-number }

View

System view

Parameters

all: Specifies all online users.

mac mac-address: Specifies an user by the user’s MAC address.

user-name user-name: Specifies a user by the user’s name, which is a string of 1 to 184 characters.

interface-type interface-number: Specifies all users on a port.

Description

Use the web-authentication cut connection command to forcibly log out the specified or all users.

Examples

# Forcibly log out all online users on Ethernet 1/0/2.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] web-authentication cut connection interface Ethernet1/0/2

web-authentication enable

Syntax

web-authentication enable

undo web-authentication enable

View

System view

Parameters

None

Description

Use the web-authentication enable command to enable Web authentication globally.

Use the undo web-authentication enable command to disable Web authentication globally.

Examples

# Enable Web authentication globally.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] web-authentication web-server ip 192.168.0.56 port 80

[Sysname] web-authentication enable

web-authentication free-ip

Syntax

web-authentication free-ip ip-address { mask-length | mask }

undo web-authentication free-ip { ip-address { mask-length | mask } | all }

View

System view

Parameters

ip-address: IP address.

mask-length: Mask length, ranging from 1 to 32.

mask: Mask address.

all: All IP addresses.

Description

Use the web-authentication free-ip command to set a free IP address range, which can be accessed by users before they pass Web authentication.

Use the undo web-authentication free-ip command to remove the setting or all such settings.

By default, no free IP address range is set.

 

 

Examples

# Set IP address range 10.1.1.0/24 as a free address range.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] web-authentication free-ip 10.1.1.0 24

web-authentication free-user

Syntax

Ethernet interface view:

web-authentication free-user ip ip-address mac mac-address

undo web-authentication free-user ip ip-address mac mac-addres

System view:

web-authentication free-user ip ip-address mac mac-address [ interface interface-list ]

undo web-authentication free-user { ip ip-address mac mac-address [ interface interface-list ] | all }

View

Ethernet interface view, system view

Parameters

ip ip-address: IP address of the web authentication-free user.

mac mac-address: MAC address of the web authentication-free user in the format of xxxx-xxxx-xxxx.

interface interface-list: Specifies an Ethernet interface list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port or port ranges. The starting port and ending port of a port range must be of the same type and the ending port number must be greater than the starting port number.

all: Deletes web authentication-free users on all ports.

Description

Use the web-authentication free-user command to configure a web authentication-free user.

Use the undo web-authentication free-user command to delete web authentication-free users configured on a port or all ports.

By defualt, no web authentication-free user is configured.

Note that:

l          In system view, if you provide the interface interface-list parameter, the command configures a web authentication-free user on the specified ports; otherwise, the command configures a web authentication-free user globally.

l          In Ethernet interface view, the command configures a web authentication-free user for the port and the interface-list argument is not available.

l          For a user getting online in shared or extended access method, if you configure an authentication-free user whose IP address and MAC address are the same as those of the online user, the online user will be forced to get offline.

Examples

# In system view, configure a web-authentication-free user on Ethernet 1/0/2.

<Sysname> system-view

[Sysname] web-authentication free-user ip 100.1.1.10 mac 0015-e943-9fcf interface Ethernet 1/0/2

web-authentication max-connection

Syntax

web-authentication max-connection number

undo web-authentication max-connection

View

System view, port view

Parameters

number: Maximum number of online Web-authentication users.

Description

Use the web-authentication max-connection command to set the maximum number of online Web authentication users on the device or on the current port. When this threshold is reached, no more users can pass the Web authentication on the device or port.

If configured in port view, this command can be configured on only a port that provides shared or extended Web authentication access.

By default, a port allows up to 128 online Web-authentication users, and a device allows up to 512 online Web-authentication users.

Examples

# Configure Ethernet 1/0/1 to allow at most 100 online Web-authentication users.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] web-authentication select method shared

[Sysname-Ethernet1/0/1] web-authentication max-connection 100

web-authentication move-mode

Syntax

web-authentication move-mode { auto | secure }

undo web-authentication move-mode

View

System view

Parameters

auto: Auto mode. In this mode, a web authenticated user can move between ports in the same access VLAN without needing re-authentication and the switch keeps the user in authenticated state on the new port after transition.

secure: Secure mode. In this mode, a web authenticated user must be re-authenticated before it can access another port. If the user passes re-authentication, the switch deletes the connection information of the user on the previous port and creates new connection information for the user on the new access port. If not, the user cannot access the new port but can still access the previous port.

Description

Use the web-authentication move-mode command to configure the transition mode for web authentication users.

Use the undo web-authentication move-mode command to restore the default mode.

By default, the transition mode is secure.

The auto mode allows a user to move between ports in the same VLAN rather than different VLANs. If a user moves between VLANs, the access is denied but the previous port is still open for this user.

Examples

# Configure the transition mode as auto for web authentication users.

<Sysname> system-view

[Sysname] web-authentication move-mode auto

web-authentication protocol

Syntax

web-authentication protocol { http | https server-policy policy-name }

undo web-authentication protocol

View

System view

Parameters

http: Specifies that clients use HTTP to access the authentication pages. Authentication information is not encrypted in this mode.

https: Specifies that clients use HTTPS to access the authentication pages. Authentication information is encrypted in this mode.

policy-name: Specifies the SSL server policy by its name, a string of 1 to 16 characters.

Description

Use the web-authentication protocol command to specify the access protocol for Web authentication. If you specify the access protocol as HTTPS, authentication information exchanged between the switch and its clients will be in ciphertext.

Use the undo web-authentication protocol command to restore the default.

By default, HTTP is used between the switch and its clients.

Note that:

l          You must configure this command before enabling Web authentication. That is, after enabling Web authentication, you cannot change the access protocol for Web authentication.

l          Before configuring HTTPS access for Web authentication, be sure to configure the SSL server policy and request a certificate for the PKI domain of the SSL server policy.

l          After modifying the used SSL server policy, you need to disable Web authentication and then enable it again in system view to make the changes take effect.

l          Only SSL 3.0 and TLS 1.0 are supported. SSL 2.0 is not supported.

l          With HTTPS access for Web authentication configured on the switch, clients need to use HTTP 1.1 to log in. Otherwise, the speed of opening the authentication page will be very low.

Examples

# Configure HTTPS access for Web authentication, specifying to use SSL server policy pt_ssl.

<Sysname> system-view

[Sysname] web-authentication protocol https server-policy pt_ssl

web-authentication select method

Syntax

web-authentication select method { shared | designated | extended }

undo web-authentication select

View

Port view

Parameters

shared: Uses the Web authentication access method of shared.

designated: Uses the Web authentication access method of designated.

extended: Uses the Web authentication access method of extended.

Description

Use the web-authentication select command to enable Web authentication on the current port and set the Web authentication access method.

Use the undo web-authentication select command to disable Web authentication on the port.

There are three Web authentication access methods:

l          Shared: In this method, a port allows multiple Web authentication users to get online at the same time.

l          Designated: In this method, a port allows only one Web authentication user to be online at a time.

l          Extended: In this method, a hybrid port allows multiple Web authentication users to get online at the same time.

This configuration takes effect only when Web authentication is enabled globally. If Web authentication is not enabled globally, this configuration will only be saved.

 

 

Examples

# Enable Web authentication on Ethernet 1/0/1 and set the Web authentication access method to shared.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] web-authentication select method shared

web-authentication timer idle-cut

Syntax

web-authentication timer idle-cut timer

undo web-authentication timer idle-cut

View

System view

Parameters

timer: Interval for checking whether an online user is idle. It ranges from 10 to 86400 seconds. Value 0 means the idle user checking function is disabled.

Description

Use the web-authentication timer idle-cut command to set the idle user checking interval for Web authentication.

Use the undo web-authentication timer idle-cut command to restore the default.

By default, the idle user checking interval is 900 seconds for Web authentication.

 

 

Examples

# Set the idle user checking interval to 500 seconds for Web authentication.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] web-authentication timer idle-cut 500

web-authentication timer max-online

Syntax

web-authentication timer max-online timer

undo web-authentication timer max-online

View

System view

Parameters

Timer: Maximum online time specified for online users, in the range of 10 to 86400, in seconds. Value 0 means there is no limit to the online time of users.

Description

Use the web-authentication timer max-online command to set the maximum online time for online users. If a user does not log off after the online timer expires, the switch will log off the user forcibly.

Use the undo web-authentication timer max-online command to restore the default.

By default, the maximum online time for users is 1800 seconds.

Examples

# Set the maximum online time of users to 36000 seconds.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] web-authentication timer max-online 36000

web-authentication web-proxy port

Syntax

web-authentication web-proxy port port-number

undo web-authentication web-proxy port { port-number | all }

View

System view

Parameters

web-proxy port port-number: Specifies a proxy server port for web authentication, in the range 1 to 65535.

all: Deletes all proxy server ports for web authentication.

Description

Use the web-authentication web-proxy port command to configure a proxy server port for web authentication.

Use the undo web-authentication web-proxy port command to delete all proxy server ports configured for web authentication.

By default, no proxy server port is configured.

Note that:

l          Up to eight proxy server ports can be configured.

l          The port configured using this command cannot be the one used in the web-authentication web-server ip ip-address port port-number command; otherwise, an error prompts.

Examples

# Configure the proxy server port as 8080 for web authentication.

<Sysname> system-view

[Sysname] web-authentication web-proxy port 8080

web-authentication web-server

Syntax

web-authentication web-server ip ip-address [ port port-number ]

undo web-authentication web-server

View

System view

Parameters

ip-address: IP address of the Web authentication server. It must be a valid unicast address.

port-number: Port number of the Web authentication server. It ranges from 1 to 50000, with 80 as the default.

Description

Use the web-authentication web-server ip command to set the IP address and port number of the Web authentication server, which will be used for Web authentication of users.

Use the undo web-authentication web-server command to restore the default.

By default, no Web authentication server IP address is set and the port number is 80.

 

 

Examples

# Set the IP address and port number of the Web authentication server to 192.168.0.56 and 80.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] web-authentication web-server ip 192.168.0.56 port 80