Login
- Table of Contents
-
- 10-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Port security commands
- 06-Password control commands
- 07-Public key management commands
- 08-SSL commands
- 09-PKI commands
- 10-IPsec commands
- 11-SSH commands
- 12-IP source guard commands
- 13-ARP attack protection commands
- 14-uRPF commands
- 15-FIPS commands
- 16-Attack detection and prevention commands
- 17-MACsec commands
- 18-MFF commands
- 19-ND attack defense commands
- 20-Keychain commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-Portal commands | 177.44 KB |
display portal packet statistics
portal free-all except destination
portal ipv6 free-all except destination
reset portal packet statistics
server-detect (portal authentication server view)
Portal commands
default-logon-page
Use default-logon-page to specify the default authentication page file for the local portal Web server.
Use undo default-logon-page to restore the default.
Syntax
default-logon-page file-name
undo default-logon-page
Default
No default authentication page file is specified for the local portal Web server.
Views
Local portal Web server view
Predefined user roles
network-admin
mdc-admin
Parameters
file-name: Specifies the default authentication page file by the file name (without the file storage directory). The file name is a case-sensitive string of 1 to 91 characters. Valid characters are letters, digits, dots (.) and underscores (_).
Usage guidelines
You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.
After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages. The device then sets them as the default authentication pages for local portal authentication.
For successful local portal authentication, you must specify the default portal authentication page file for the local portal Web server.
Examples
# Specify the file pagefile1.zip as the default authentication page file for local portal authentication.
<Sysname> system-view
[Sysname] portal local-web-server http
[Sysname-portal-local-websvr-http] default-logon-page pagefile1.zip
Related commands
portal local-web-server
display portal interface
Use display portal interface to display portal configuration and portal running state on an interface.
Syntax
display portal interface interface-type interface-number
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number.
Examples
# Display portal configuration and portal running state on VLAN-interface 2.
<Sysname> display portal interface vlan-interface 2
Portal information of Vlan-interface2
Nas id profile: profile1
IPv4:
Portal status: Enabled
Authentication type: Direct
Portal Web server : wbs
Authentication domain: my-domain
BAS-IP: Not configured
User detection : Type: ICMP Interval: 300s Attempts: 5 Idle time: 180s
Action for server detection:
Server type Server name Action
Web server wbs fail-permit
Portal server pts fail-permit
Layer3 source network:
IP address Mask
1.1.1.1 255.255.0.0
Destination authentication subnet:
IP address Mask
2.2.2.2 255.255.255.0
IPv6:
portal status: Enabled
Authentication type: Direct
Portal Web server: wbsv6
Authentication domain: my-domain
BAS-IPv6:Not configured
User detection: Type: ICMPv6 Interval: 300s Attempts: 5 Idle time: 180s
Action for server detection:
Server type Server name Action
Web server wbsv6 fail-permit
Portal server ptsv6 fail-permit
Layer3 source network:
IP address Prefix length
11::5 64
Destination authentication subnet:
IP address Prefix length
Table 1 Command output
|
Field |
Description |
|
Portal information of interface |
Portal configuration on the interface. |
|
Nas id profile |
NAS-ID profile specified on the interface. |
|
IPv4 |
IPv4 portal configuration. |
|
IPv6 |
IPv6 portal configuration. |
|
Portal status |
Portal authentication status on the interface: · Disabled—Portal authentication is disabled. · Enabled—Portal authentication is enabled. · Authorized—The portal authentication server or portal Web server is unreachable. The interface allows users to have network access without authentication. |
|
Authentication type |
Authentication mode enabled on the interface: · Direct—Direct authentication. · Redhcp—Re-DHCP authentication. · Layer3—Cross-subnet authentication. |
|
Portal Web server |
Name of the portal Web server specified on the interface. |
|
Authentication domain |
Mandatory authentication domain on the interface. |
|
BAS-IP |
BAS-IP attribute of the portal packets sent to the portal authentication server. |
|
BAS-IPv6 |
BAS-IPv6 attribute of the portal packets sent to the portal authentication server. |
|
User detection |
Configuration for online detection of portal users on the interface, including detection method (ARP, ICMP, ND, or ICMPv6), detection interval, maximum number of detection attempts, and user idle time. |
|
Action for server detection |
Portal server detection configuration on the interface: · Server type—Type of the server. Portal server represents the portal authentication server, and Web server represents the portal Web server. · Server name—Name of the server. · Action—Action triggered by the result of server detection. This field displays fail-permit when the portal fail-permit feature is enabled. |
|
Layer3 source subnet |
Information of the portal authentication source subnet. |
|
Destination authentication subnet |
Information of the portal authentication destination subnet. |
|
IP address |
IP address of the portal authentication subnet. |
|
Mask |
Subnet mask of the portal authentication subnet. |
|
Prefix length |
Prefix length of the IPv6 portal authentication subnet address. |
Related commands
· portal domain
· portal enable
· portal free-all except destination
· portal ipv6 free-all except destination
· portal ipv6 layer3 source
· portal layer3 source
· portal web-server
display portal packet statistics
Use display portal packet statistics to display packet statistics for portal authentication servers. The statistics are for the packets the device sent to and received from the portal authentication servers.
Syntax
display portal packet statistics [ server server-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify the server server-name option, this command displays packet statistics for all portal authentication servers.
Examples
# Display packet statistics for portal authentication server pts.
<Sysname> display portal packet statistics server pts
Portal server : pts
Invalid packets: 0
Pkt-Type Total Drops Errors
REQ_CHALLENGE 3 0 0
ACK_CHALLENGE 3 0 0
REQ_AUTH 3 0 0
ACK_AUTH 3 0 0
REQ_LOGOUT 1 0 0
ACK_LOGOUT 1 0 0
AFF_ACK_AUTH 3 0 0
NTF_LOGOUT 1 0 0
REQ_INFO 6 0 0
ACK_INFO 6 0 0
NTF_USERDISCOVER 0 0 0
NTF_USERIPCHANGE 0 0 0
AFF_NTF_USERIPCHAN 0 0 0
ACK_NTF_LOGOUT 1 0 0
NTF_USER_HEARTBEAT 2 0 0
ACK_NTF_USER_HEARTBEAT 0 0 0
NTF_CHALLENGE 0 0 0
NTF_USER_NOTIFY 0 0 0
AFF_NTF_USER_NOTIFY 0 0 0
Table 2 Command output
|
Field |
Description |
|
Portal server |
Name of the portal authentication server. |
|
Invalid packets |
Number of invalid packets. |
|
Pkt-Type |
Packet type. |
|
Total |
Total number of packets. |
|
Drops |
Number of dropped packets. |
|
Errors |
Number of erroneous packets. |
|
REQ_CHALLENGE |
Challenge request packet the portal authentication server sent to the access device. |
|
ACK_CHALLENGE |
Challenge acknowledgment packet the access device sent to the portal authentication server. |
|
REQ_AUTH |
Authentication request packet the portal authentication server sent to the access device. |
|
ACK_AUTH |
Authentication acknowledgment packet the access device sent to the portal authentication server. |
|
REQ_LOGOUT |
Logout request packet the portal authentication server sent to the access device. |
|
ACK_LOGOUT |
Logout acknowledgment packet the access device sent to the portal authentication server. |
|
AFF_ACK_AUTH |
Affirmation packet the portal authentication server sent to the access device after receiving an authentication acknowledgment packet. |
|
NTF_LOGOUT |
Forced logout notification packet the access device sent to the portal authentication server. |
|
REQ_INFO |
Information request packet. |
|
ACK_INFO |
Information acknowledgment packet. |
|
NTF_USERDISCOVER |
User discovery notification packet the portal authentication server sent to the access device. |
|
NTF_USERIPCHANGE |
User IP change notification packet the access device sent to the portal authentication server. |
|
AFF_NTF_USERIPCHAN |
User IP change success notification packet the portal authentication server sent to the access device. |
|
ACK_NTF_LOGOUT |
Forced logout acknowledgment packet the portal authentication server sent to the access device. |
|
NTF_USER_HEARTBEAT |
User synchronization packet the portal authentication server sent to the access device. |
|
ACK_NTF_USER_HEARTBEAT |
User synchronization acknowledgment packet the access device sent to the portal authentication server. |
|
NTF_HEARTBEAT |
Server heartbeat packet the portal authentication server sent to the access device. |
|
NTF_CHALLENGE |
Challenge request packet the access device sent to the portal authentication server. |
|
NTF_USER_NOTIFY |
User information notification packet the access device sent to the portal authentication server. |
|
AFF_NTF_USER_NOTIFY |
NTF_USER_NOTIFY acknowledgment packet the portal authentication server sent to the access device. |
Related commands
reset portal packet statistics
display portal rule
Use display portal rule to display portal packet filtering rules on an interface.
Syntax
In standalone mode:
display portal rule { all | dynamic | static } interface interface-type interface-number [ slot slot-number ]
In IRF mode:
display portal rule { all | dynamic | static } interface interface-type interface-number [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
all: Displays all portal rules, including dynamic and static portal rules.
dynamic: Displays dynamic portal rules, which are generated after users pass portal authentication. These rules allow packets with specific source IP addresses to pass the interface.
static: Displays static portal rules, which are generated after portal authentication is enabled. The interface filters packets by these rules when portal authentication is enabled.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify this option, this command displays portal rules for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device or the virtual chassis number of the PEX. The slot-number argument represents the slot number of the card or PEX. If you do not specify this option, this command displays portal rules for all cards on all IRF member devices. (In IRF mode.)
Examples
# Display all portal rules on VLAN-interface 100.
<Sysname> display portal rule all interface vlan-interface 100
IPv4 portal rules on Vlan-interface100:
Rule 1
Type : Static
Action : Permit
Protocol : Any
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : Any
MAC : 0000-0000-0000
Interface : Vlan-interface100
VLAN : 100
Destination:
IP : 192.168.0.111
Mask : 255.255.255.255
Port : Any
Rule 2
Type : Dynamic
Action : Permit
Status : Active
Source:
IP : 2.2.2.2
MAC : 000d-88f8-0eab
Interface : GigabitEthernet1/0/1
VLAN : 100
Author ACL:
Number : 3001
Rule 3
Type : Static
Action : Redirect
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : Vlan-interface100
VLAN : 100
Protocol : TCP
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : 80
Rule 4:
Type : Static
Action : Deny
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : Vlan-interface100
VLAN : Any
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
IPv6 portal rules on Vlan-interface100:
Rule 1
Type : Static
Action : Permit
Protocol : Any
Status : Active
Source:
IP : ::
Prefix length : 0
Port : Any
MAC : 0000-0000-0000
Interface : Vlan-interface100
VLAN : 100
Destination:
IP : 3000::1
Prefix length : 64
Port : Any
Rule 2
Type : Dynamic
Action : Permit
Status : Active
Source:
IP : 3000::1
MAC : 0015-e9a6-7cfe
Interface : GigabitEthernet1/0/1
VLAN : 100
Author ACL:
Number : 3001
Rule 3
Type : Static
Action : Redirect
Status : Active
Source:
IP : ::
Prefix length : 0
Interface : Vlan-interface100
VLAN : 100
Protocol : TCP
Destination:
IP : ::
Prefix length : 0
Port : 80
Rule 4:
Type : Static
Action : Deny
Status : Active
Source:
IP : ::
Prefix length : 0
Interface : Vlan-interface100
VLAN : 100
Destination:
IP : ::
Prefix length : 0
Table 3 Command output
|
Field |
Description |
|
Rule |
Number of the portal rule. IPv4 portal rules and IPv6 portal rules are numbered separately. |
|
Type |
Type of the portal rule: · Static—Static portal rule. · Dynamic—Dynamic portal rule. |
|
Action |
Action triggered by the portal rule: · Permit—The interface allows packets to pass. · Redirect—The interface redirects packets. · Deny—The interface forbids packets to pass. |
|
Protocol |
Transport layer protocol permitted by the portal rule: · Any—Permits any transport layer protocol. · TCP—Permits TCP. · UDP—Permits UDP. |
|
Status |
Status of the portal rule: · Active—The portal rule is effective. · Inactive—The portal rule is not activated. |
|
Source |
Source information of the portal rule. |
|
IP |
Source IP address. |
|
Mask |
Subnet mask of the source IPv4 address. |
|
Prefix length |
Prefix length of the source IPv6 address. |
|
Port |
Source transport layer port number. |
|
MAC |
Source MAC address. |
|
Interface |
Layer 2 or Layer 3 interface on which the portal rule is implemented. |
|
VLAN |
Source VLAN ID. |
|
Protocol |
Protocol type for the portal rule. |
|
Destination |
Destination information of the portal rule. |
|
IP |
Destination IP address. |
|
Port |
Destination transport layer port number. |
|
Mask |
Subnet mask of the destination IPv4 address. |
|
Prefix length |
Prefix length of the destination IPv6 address. |
|
Author ACL |
Authorized ACL of the portal rule. This field is displayed only for a dynamic portal rule. |
|
Number |
Number of the authorized ACL that the AAA server assigns to the user. This field displays None if the AAA server does not assign an ACL. |
display portal server
Use display portal server to display information about portal authentication servers.
Syntax
display portal server [ server-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify the server-name argument, this command displays information about all portal authentication servers.
Examples
# Display information about portal authentication server pts.
<Sysname> display portal server pts
Portal server: pts
IP : 192.168.0.111
VPN instance : vpn1
Port : 50100
Server detection : Timeout 60s Action: log, trap
User synchronization : Timeout 200s
Status : Up
Table 4 Command output
|
Field |
Description |
|
Portal server |
Name of the portal authentication server. |
|
IP |
IP address of the portal authentication server. |
|
VPN instance |
MPLS L3VPN where the portal authentication server resides. |
|
Port |
Listening port on the portal authentication server. |
|
Server detection |
Parameters for portal authentication server detection: · Detection timeout in seconds. · Actions (log and trap) triggered by the reachability status change of the portal authentication server. |
|
User synchronization |
User idle timeout in seconds for portal user synchronization. |
|
Status |
Reachability status of the portal authentication server: · N/A—Portal authentication server detection is disabled. Reachability status of the server is unknown. · Up—Portal authentication server detection is enabled. The server is reachable. · Down—Portal authentication server detection is enabled. The server is unreachable. |
Related commands
· portal enable
· portal server
· server-detect (portal authentication server view)
· user-sync
display portal user
Use display portal user to display information about portal users.
Syntax
display portal user { all | interface interface-type interface-number }
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
all: Displays information about all portal users.
interface interface-type interface-number: Displays information about portal users on the specified interface.
Examples
# Display information about all portal users.
<Sysname> display portal user all
Total portal users: 1
Username: abc
Portal server: pts
State: Online
Authorization ACL: None
VPN instance: --
MAC IP VLAN Interface
1222-1600-01fe 2.2.2.2 100 Vlan-interface100
Table 5 Command output
|
Field |
Description |
|
Total portal users |
Total number of portal users. |
|
Username |
Name of the user. |
|
Portal server |
Name of the portal authentication server. |
|
State |
Current state of the portal user: · Initialized—The user is initialized and ready for authentication. · Authenticating—The user is being authenticated. · Authorizing—The user is being authorized. · Online—The user is online. |
|
Authorization ACL |
ACLs authorized to the portal user. |
|
VPN instance |
MPLS L3VPN the portal user belongs to. If the portal user is on a public network, this field displays double hyphens (--). |
|
MAC |
MAC address of the portal user. In cross-subnet portal authentication, this field displays all 0s. |
|
IP |
IP address of the portal user. |
|
VLAN |
VLAN where the portal user resides. |
|
Interface |
Access interface of the portal user. |
Related commands
portal enable
display portal web-server
Use display portal web-server to display information about portal Web servers.
Syntax
display portal web-server [ server-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify the server-name argument, this command displays information about all portal Web servers.
Examples
# Display information about portal Web server wbs.
<Sysname> display portal web-server wbs
Portal Web server: wbs
URL : http://www.test.com/portal
URL parameters : userurl=http://www.test.com/welcome
userip=source-address
VPN instance : Not configured
Server detection : Interval: 120s Attempts: 5 Action: log, trap
IPv4 status : Up
IPv6 status : N/A
Table 6 Command output
|
Field |
Description |
|
Portal Web server |
Name of the portal Web server. |
|
URL |
URL of the portal Web server. |
|
URL parameters |
URL parameters for the portal Web server. |
|
VPN instance |
Name of the MPLS L3VPN where the portal Web server resides. |
|
Server detection |
Parameters for portal Web server detection: · Detection interval in seconds. · Maximum number of detection attempts. · Actions (log and trap) triggered by the reachability status change of the portal Web server. |
|
IPv4/IPv6 status |
Current state of the portal Web server: · N/A—Portal Web server detection is disabled. Reachability status of the server is unknown. · Up—Portal Web server detection is enabled. The server is reachable. · Down—Portal Web server detection is enabled. The server is unreachable. |
Related commands
· portal enable
· portal web-server
· server-detect (portal Web server view)
ip
Use ip to specify the IP address of an IPv4 portal authentication server.
Use undo ip to delete the IP address of the IPv4 portal authentication server.
Syntax
ip ipv4-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } key-string ]
undo ip
Default
The IP address of the IPv4 portal authentication server is not specified.
Views
Portal authentication server view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies the IP address of the IPv4 portal authentication server.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN where the portal authentication server resides by the VPN instance name, a case-sensitive string of 1 to 31 characters. If the portal authentication server is on the public network, do not specify this option.
key: Specifies a shared key for communication with the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.
cipher: Sets a ciphertext shared key.
simple: Sets a plaintext shared key.
key-string: Specifies the shared key. A plaintext shared key is a case-sensitive string of 1 to 64 characters. A ciphertext shared key is a case-sensitive string of 33 to 117 characters.
Usage guidelines
A portal authentication server has only one IP address. Therefore, in portal authentication server view, only one IP address exists. A newly configured IP address (IPv4 or IPv6) overrides the old address.
Do not configure the same IP address and MPLS L3VPN for different portal authentication servers.
For security purposes, all keys, including keys specified in plain text, are saved in cipher text.
Examples
# Configure the IP address of IPv4 portal authentication server pts as 192.168.0.111 and the plaintext key as portal.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] ip 192.168.0.111 key simple portal
Related commands
· display portal server
· portal server
ipv6
Use ipv6 to specify the IP address of an IPv6 portal authentication server.
Use undo ipv6 to delete the IP address of the IPv6 portal authentication server.
Syntax
ipv6 ipv6-address [ vpn-instance vpn-instance-name] [ key { cipher | simple } key-string ]
undo ipv6
Default
The IP address of the IPv6 portal authentication server is not specified.
Views
Portal authentication server view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6-address: Specifies the IP address of the IPv6 portal authentication server.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN where the portal authentication server resides by the VPN instance name, a case-sensitive string of 1 to 31 characters. If the portal authentication server is on the public network, do not specify this option.
key: Specifies a shared key for communication with the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.
cipher: Sets a ciphertext shared key.
simple: Sets a plaintext shared key.
key-string: Specifies the shared key. A plaintext shared key is a case-sensitive string of 1 to 64 characters. A ciphertext shared key is a case-sensitive string of 33 to 117 characters.
Usage guidelines
A portal authentication server has only one IP address. Therefore in portal authentication server view, only one IP address exists. A newly configured IP address (IPv4 or IPv6) overrides the old address.
Do not configure the same IP address and MPLS L3VPN for different portal authentication servers.
For security purposes, all keys, including keys specified in plain text, are saved in cipher text.
Examples
# Configure the IP address of IPv6 portal authentication server pts as 2000::1 and the plaintext key as portal.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] ipv6 2000::1 key simple portal
Related commands
· display portal server
· portal server
port
Use port to set the destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.
Use undo port to restore the default.
Syntax
port port-id
undo port
Default
The access device uses 50100 as the destination UDP port number for unsolicited portal packets.
Views
Portal authentication server view
Predefined user roles
network-admin
mdc-admin
Parameters
port-id: Specifies a destination UDP port number the access device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534.
Usage guidelines
The specified port must be the port that listens to portal packets on the portal authentication server.
Examples
# Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to portal authentication server pts.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] port 50000
Related commands
portal server
portal { bas-ip | bas-ipv6 }
Use portal { bas-ip | bas-ipv6 } to configure the BAS-IP or BAS-IPv6 attribute carried in the portal packets sent to the portal authentication server on an interface.
Use undo portal { bas-ip | bas-ipv6 } to delete the BAS-IP or BAS-IPv6 attribute setting on the interface.
Syntax
portal { bas-ip ipv4-address | bas-ipv6 ipv6-address }
undo portal { bas-ip | bas-ipv6 }
Default
The BAS-IP attribute of an IPv4 portal reply packet sent to the portal authentication server is the source IPv4 address of the packet. The BAS-IPv6 attribute of an IPv6 portal reply packet sent to the portal authentication server is the source IPv6 address of the packet.
The BAS-IP attribute of an IPv4 portal notification packet sent to the portal authentication server is the IPv4 address of the packet's output interface. The BAS-IPv6 attribute of an IPv6 portal notification packet sent to the portal authentication server is the IPv6 address of the packet's output interface.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies BAS-IP for portal packets sent to the portal authentication server. This attribute must be the IPv4 address of an interface on the . It cannot be 0.0.0.0, 1.1.1.1, a class D address, a class E address, or a loopback address.
ipv6-address: Specifies BAS-IPv6 for portal packets sent to the portal authentication server. This attribute must be the IPv6 address of an interface on the device. It cannot be a multicast address, an all 0 address, or a link-local address.
Usage guidelines
If the device runs Portal 2.0, unsolicited portal packets (such as a logout notification packet) sent to the portal authentication server must carry the BAS-IP attribute. If the device runs Portal 3.0, unsolicited portal packets sent to the portal authentication server must carry the BAS-IP or BAS-IPv6 attribute.
After this command takes effect, the source IP address for unsolicited notification portal packets the device sends to the portal authentication server is the configured BAS-IP or BAS-IPv6. If the attribute is not configured, the source IP address of the packets is the IP address of the packet output interface.
You must configure the BAS-IP or BAS-IPv6 attribute on a portal authentication-enabled interface if the following conditions are met:
· The portal authentication server is an H3C IMC server or the portal authentication mode on the interface is re-DHCP.
· The portal device IP address specified on the portal authentication server is not the IP address of the portal packet output interface.
Examples
# On VLAN-interface 100, configure the BAS-IP attribute as 2.2.2.2 for portal packets sent to the portal authentication server.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal bas-ip 2.2.2.2
Related commands
display portal interface
portal apply web-server
Use portal [ ipv6 ] apply web-server to specify a portal Web server on an interface. The device redirects the HTTP requests sent by unauthenticated portal users to the portal Web server.
Use undo portal [ ipv6 ] apply web-server to delete the portal Web server specified on the interface.
Syntax
portal [ ipv6 ] apply web-server server-name [ fail-permit ]
undo portal [ ipv6 ] apply web-server
Default
No portal Web server is specified on the interface.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6: Specifies an IPv6 portal Web server. If the server is an IPv4 portal Web server, do not specify this keyword.
server-name: Specifies a portal Web server to be specified on the interface by its name, a case-sensitive string of 1 to 32 characters. The name must already exist.
fail-permit: Enables the portal fail-permit feature on the interface. The portal fail-permit feature allows portal users to access the Internet without authentication when the portal Web server is unreachable.
Usage guidelines
You can enable both IPv4 and IPv6 portal authentication on an interface. Therefore, you can specify both an IPv4 portal Web server and an IPv6 portal Web server on the interface.
When portal fail-permit is enabled for a portal authentication server and a portal Web server on the interface, portal authentication is disabled for users on the interface if either server is unreachable. Portal authentication resumes after both servers become reachable.
Examples
# Specify portal Web server wbs on VLAN-interface 100 for portal authentication.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal apply web-server wbs
Related commands
· display portal interface
· portal fail-permit server
· portal web-server
portal delete-user
Use portal delete-user to log out portal users.
Syntax
portal delete-user { ipv4-address | all | interface interface-type interface-number | ipv6 ipv6-address }
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies the IP address of an IPv4 portal user.
all: Specifies IPv4 and IPv6 portal users on all interfaces.
interface interface-type interface-number: Specifies an interface by its type and number. If you specify this option, this command logs out all IPv4 and IPv6 portal users on the interface.
ipv6 ipv6-address: Specifies the IP address of an IPv6 portal user.
Examples
# Log out the portal user whose IP address is 1.1.1.1.
<Sysname> system-view
[Sysname] portal delete-user 1.1.1.1
Related commands
display portal user
portal domain
Use portal [ ipv6 ] domain to configure a portal authentication domain on an interface. All portal users accessing through the interface must use the authentication domain.
Use undo portal [ ipv6 ] domain to delete the configured portal authentication domain.
Syntax
portal [ ipv6 ] domain domain-name
undo portal [ ipv6 ] domain
Default
No portal authentication domain is configured on the interface.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6: Specifies an authentication domain for IPv6 portal users. Do not specify this keyword for IPv4 portal users.
domain-name: Specifies an ISP authentication domain by its name, a case-insensitive string of 1 to 24 characters.
Usage guidelines
You can specify both an IPv4 portal authentication domain and an IPv6 portal authentication domain on the interface.
Do not specify the ipv6 keyword for IPv4 portal users.
Examples
# Configure the authentication domain for IPv4 portal users as my-domain on VLAN-interface 100.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal domain my-domain
Related commands
display portal interface
portal enable
Use portal [ ipv6 ] enable to enable portal authentication on an interface.
Use undo portal [ ipv6 ] enable to disable portal authentication on the interface.
Syntax
portal enable method { direct | layer3 | redhcp }
portal ipv6 enable method { direct | layer3 }
undo portal [ ipv6 ] enable
Default
Portal authentication is disabled on the interface.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6: Enables IPv6 portal authentication. Do not specify this keyword for IPv4 portal authentication.
method: Specifies an authentication mode:
· direct—Direct authentication.
· layer3—Cross-subnet authentication.
· redhcp—Re-DHCP authentication.
Usage guidelines
Make sure the device supports IPv6 ACL and IPv6 forwarding before you enable IPv6 portal authentication on the interface.
IPv6 portal authentication does not support the re-DHCP authentication mode.
Do not add a portal authentication-enabled Ethernet interface to an aggregation group. Otherwise, portal authentication cannot take effect on the interface.
You can enable both IPv4 and IPv6 portal authentication on an interface.
Examples
# Enable direct IPv4 portal authentication on VLAN-interface 100.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal enable method direct
Related commands
display portal interface
portal fail-permit server
Use portal [ ipv6 ] fail-permit server to enable the portal fail-permit feature for a portal authentication server on the interface.
Use undo portal [ ipv6] fail-permit server to disable the portal fail-permit feature for the portal authentication server.
Syntax
portal [ ipv6 ] fail-permit server server-name
undo portal [ ipv6] fail-permit server
Default
Portal fail-permit is disabled for the portal authentication server.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6: Specifies an IPv6 portal authentication server. Do not specify this keyword for an IPv4 portal authentication server.
server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
When portal fail-permit is enabled for a portal authentication server and a portal Web server on an interface, the interface disables portal authentication for portal users if either server is unreachable. Portal authentication resumes on the interface when both servers become reachable. After portal authentication resumes, unauthenticated portal users need to pass authentication to access network resources. Portal users who has passed authentication can continue accessing network resources.
You can enable portal fail-permit for at most one portal authentication server and one portal Web server on an interface.
Examples
# Enable portal fail-permit for portal authentication server pts1 on VLAN-interface 100.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal fail-permit server pts1
Related commands
display portal interface
portal free-all except destination
Use portal free-all except destination to configure an IPv4 portal authentication destination subnet on an interface.
Use undo portal free-all except destination to delete the IPv4 portal authentication destination subnets on the interface.
Syntax
portal free-all except destination ipv4-network-address { mask-length | mask }
undo portal free-all except destination [ ipv4-network-address ]
Default
No IPv4 portal authentication destination subnet is configured on the interface. Portal users must pass portal authentication to access any subnet.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-network-address: Specifies an IPv4 portal authentication subnet address.
mask-length: Specifies the subnet mask length for the authentication subnet address, in the range of 0 to 32.
mask: Specifies the subnet mask in dotted decimal format.
Usage guidelines
Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules). The users can access other subnets without portal authentication.
You can configure multiple authentication destination subnets.
If you do not specify the ipv4-network-address argument in the undo portal free-all except destination command, this commands deletes all IPv4 portal authentication destination subnets on the interface.
Re-DHCP authentication does not support authentication destination subnets.
If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.
Examples
# Configure an IPv4 portal authentication destination subnet of 11.11.11.0/24 on VLAN-interface 2. Portal users need to pass authentication to access this subnet and can access other subnets without authentication.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname–Vlan-interface2] portal free-all except destination 11.11.11.0 24
Related commands
display portal interface
portal free-rule
Use portal free-rule to configure an IP-based portal-free rule.
Use undo portal free-rule to delete portal-free rules.
Syntax
portal free-rule rule-number { destination ip { ip-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | source ip { ip-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] } *
portal free-rule rule-number { destination ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] | source ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] } *
undo portal free-rule { rule-number | all }
Default
No IP-based portal-free rule is configured.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-number: Specifies a portal-free rule number.
destination: Specifies the destination information.
source: Specifies the source information.
ip ip-address: Specifies an IPv4 address for the portal-free rule.
{ mask-length | mask }: Specifies the subnet mask of the IPv4 address. The value range for the mask-length argument is 0 to 32. The mask argument is in dotted decimal format.
ipv6 ipv6-address: Specifies an IPv6 address for the portal-free rule.
prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.
ip any: Represents any IPv4 address.
ipv6 any: Represents any IPv6 address.
tcp tcp-port-number: Specifies a TCP port number for the portal-free rule, in the range of 0 to 65535.
udp udp-port-number: Specifies a UDP port number for the portal-free rule, in the range of 0 to 65535.
all: Specifies all portal-free rules.
Usage guidelines
You can specify both the source and destination keyword for a portal-free rule. If you specify only one keyword, the other keyword does not act as a filtering criterion.
If you specify both a source port number and a destination port number for a portal-free rule, the two port numbers must belong to the same transport layer protocol.
You cannot configure two portal-free rules with the same filtering criteria.
Examples
# Configure an IPv4-based portal-free rule: specify the rule number as 1, the source IP address as 10.10.10.1/24, the destination IP address as 20.20.20.1, and the destination TCP port number as 23.
<Sysname> system-view
[Sysname] portal free-rule 1 destination ip 20.20.20.1 32 tcp 23 source ip 10.10.10.1 24
With this rule, users in subnet 10.10.10.1/24 do not need to pass portal authentication when they access services provided on TCP port 23 of host 20.20.20.1.
# Configure an IPv4-based portal-free rule: specify the rule number as 2, the source IP address as 2000::1/64, the destination IP address as 2001::1, and the destination TCP port number as 23.
<Sysname> system-view
[Sysname] portal free-rule 2 destination ipv6 2001::1 128 tcp 23 source ip 2000::1 64
With this rule, users in subnet 2000::1/64 do not need to pass portal authentication when they access services provided on TCP port 23 of host 2001::1.
Related commands
display portal rule
portal free-rule source
Use portal free-rule source to configure a source-based portal-free rule. The filtering criteria include source MAC address, source interface, and source VLAN.
Use undo portal free-rule to delete portal-free rules.
Syntax
portal free-rule rule-number source { interface interface-type interface-number | mac mac-address | vlan vlan-id } *
undo portal free-rule { rule-number | all }
Default
No source-based portal-free rule is configured.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
rule-number: Specifies a portal-free rule number.
interface interface-type interface-number: Specifies a source interface by its type and number for the portal-free rule.
mac mac-address: Specifies a source MAC address for the portal-free rule, in the form of H-H-H.
vlan vlan-id: Specifies a source VLAN ID for the portal-free rule.
all: Specifies all portal-free rules.
Usage guidelines
If you specify both the source VLAN and the source Layer 2 interface, the interface must be in the VLAN.
Examples
# Configure source-based portal-free rule: specify the rule number as 3, source MAC address as 1-1-1, and source VLAN ID as 10. This rule allows the portal user whose source MAC address is 1-1-1 from VLAN 10 to access network resources without authentication.
<Sysname> system-view
[Sysname] portal free-rule 3 source mac 1-1-1 vlan 10
Related commands
display portal rule
portal ipv6 free-all except destination
Use portal ipv6 free-all except destination to configure an IPv6 portal authentication destination subnet on an interface.
Use undo portal ipv6 free-all except destination to delete IPv6 portal authentication destination subnets on the interface.
Syntax
portal ipv6 free-all except destination ipv6-network-address prefix-length
undo portal ipv6 free-all except destination [ ipv6-network-address ]
Default
No IPv6 portal authentication destination subnet is configured on the interface. Portal users must pass portal authentication to access any IPv6 subnet.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6-network-address: Specifies an IPv6 portal authentication destination subnet.
prefix-length: Specifies the prefix length of the IPv6 subnet, in the range of 0 to 128.
Usage guidelines
Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules). The users can access other subnets without portal authentication.
You can configure multiple authentication destination subnets.
If you do not specify the ipv6-network-address argument in the undo portal ipv6 free-all except destination command, this command deletes all IPv6 portal authentication destination subnets on the interface.
Re-DHCP authentication does not support authentication destination subnets.
If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.
Examples
# Configure an IPv6 portal authentication destination subnet of 1::2/16 on VLAN-interface 2.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname–Vlan-interface2] portal ipv6 free-all except destination 1::2 16
Related commands
display portal interface
portal ipv6 layer3 source
Use portal ipv6 layer3 source to configure an IPv6 portal authentication source subnet on an interface.
Use undo portal ipv6 layer3 source to delete IPv6 portal authentication source subnets on an interface.
Syntax
portal ipv6 layer3 source ipv6-network-address prefix-length
undo portal ipv6 layer3 source [ ipv6-network-address ]
Default
No IPv6 portal authentication source subnet is configured on the interface. Portal users from any IPv6 subnet must pass portal authentication.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6-network-address: Specifies an IPv6 portal authentication source subnet address.
prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.
Usage guidelines
With IPv6 authentication source subnets configured, only packets from IPv6 users on the authentication source subnets can trigger portal authentication. If an unauthenticated IPv6 user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.
If you do not specify the ipv6-network-address argument in the undo portal ipv6 layer3 source command, this command deletes all IPv6 portal authentication source subnets on the interface.
Only cross-subnet authentication supports authentication source subnets.
If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.
Examples
# Configure an IPv6 portal authentication source subnet of 1::1/16 on VLAN-interface 2. Only portal users from subnet 1::1/16 trigger portal authentication.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname–Vlan-interface2] portal ipv6 layer3 source 1::1 16
Related commands
· display portal interface
· portal ipv6 free-all except destination
portal ipv6 user-detect
Use portal ipv6 user-detect to enable online detection of IPv6 portal users on an interface.
Use undo portal user-detect to restore the default.
Syntax
portal ipv6 user-detect type { icmpv6 | nd } [ retry retries ] [ interval interval ] [ idle time ]
undo portal ipv6 user-detect
Default
Online detection of IPv6 portal users is disabled on the interface.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
type: Specifies the detection type.
· icmpv6—ICMPv6 detection.
· nd—ND detection.
retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.
interval interval: Sets a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds.
idle time: Sets the user idle timeout in the range of 60 to 3600 seconds. The default is 180 seconds. When the timeout expires, online detection of portal users is started.
Usage guidelines
If the device receives no packets from a portal user within the idle time, the device detects the user's online status as follows:
· ICMPv6 detection—Sends ICMPv6 requests to the user at configurable intervals to detect the user status.
¡ If the device receives a reply within the maximum number of detection attempts, it considers that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires.
¡ If the device receives no reply after the maximum number of detection attempts, the device logs out the user.
· ND detection—Sends ND requests to the user and detects the ND entry status of the user at configurable intervals.
¡ If the ND entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ND entry. Then the device resets the idle timer and repeats the detection process when the timer expires.
¡ If the ND entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user.
Direct authentication and re-DHCP authentication support both ND detection and ICMPv6 detection. Cross-subnet authentication only supports ICMPv6 detection.
If firewall policies on the access device filter out ICMPv6 packets, ICMPv6 detection might fail and result in the logout of portal users. Make sure the access device does not block ICMPv6 packets before you enable ICMPv6 detection on an interface.
Examples
# Enable online detection of IPv6 portal users on VLAN-interface 100. Configure the detection type as ND, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal ipv6 user-detect type nd retry 5 interval 10 idle 300
Related commands
display portal interface
portal layer3 source
Use portal layer3 source to configure an IPv4 portal authentication source subnet on an interface.
Use undo portal layer3 source to delete IPv4 portal authentication source subnets on an interface.
Syntax
portal layer3 source ipv4-network-address { mask-length | mask }
undo portal layer3 source [ ipv4-network-address ]
Default
No IPv4 portal authentication source subnet is configured. Portal users from any IPv4 subnet must pass portal authentication.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-network-address: Specifies an IPv4 portal authentication source subnet address.
mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32.
mask: Specifies the subnet mask in dotted decimal format.
Usage guidelines
With IPv4 authentication source subnets configured, only packets from IPv4 users on the authentication source subnets can trigger portal authentication. If an unauthenticated IPv4 user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.
If you do not specify the ipv4-network-address argument in the undo portal layer3 source command, this command deletes all IPv4 portal authentication source subnets on the interface.
Only cross-subnet authentication supports authentication source subnets.
If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.
Examples
# Configure an IPv4 portal authentication source subnet of 10.10.10.0/24 on VLAN-interface 2.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname–Vlan-interface2] portal layer3 source 10.10.10.0 24
Related commands
· display portal interface
· portal free-all except destination
portal local-web-server
Use portal local-web-server to create a local portal Web server and enter its view, or enter the view of an existing local portal Web server.
Use undo portal local-web-server to delete the local portal Web server.
Syntax
portal local-web-server { http | https ssl-server-policy policy-name [ tcp-port port-number ] }
undo portal local-web-server { http | https }
Default
No local portal Web servers exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
http: Configures the local portal Web server to use HTTP to exchange authentication information with clients.
https: Configures the local portal Web server to use HTTPS to exchange authentication information with clients.
ssl-server-policy policy-name: Specifies an existing SSL server policy for HTTPS. The policy name is a case-insensitive string of 1 to 31 characters.
tcp-port port number: Specifies the TCP port number on which the local portal server listens for HTTPS. The value range for the port-number argument is 1 to 65535. The default port number is 443.
Usage guidelines
After a local portal Web server is configured on the access device, the access device also acts as the portal Web server and the portal authentication server. No external portal Web server and portal authentication server are needed.
For an interface to use the local portal Web server, the URL of the portal Web server specified for the interface must meet the following requirements:
· The IP address in the URL must be a local IP address on the device (except the IP address 127.0.0.1).
· The URL must be ended with /portal/. For example: http://1.1.1.1/portal/.
You cannot delete an SSL server policy by using the undo ssl server-policy command when the policy is associated with HTTPS.
To change the SSL server policy for HTTPS:
1. Use the undo portal local-web-server https command to delete the local portal Web server.
2. Re-create the local portal Web server and specify a new SSL server policy.
When you configure the HTTPS listening TCP port for the local portal Web server, follow these guidelines:
· For the local portal Web server that uses HTTPS and other services that use HTTPS:
¡ If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.
¡ If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.
· Do not configure the HTTPS listening TCP port number as the port number used by a known protocol (except HTTPS). For example, do not specify port numbers 80 and 23, which are used by HTTP and Telnet, respectively.
· Do not configure the same TCP port number for HTTP and HTTPS local Web portal servers.
Examples
# Configure a local portal Web server. Use HTTP to exchange authentication information with clients.
<Sysname> system-view
[Sysname] portal local-web-server http
[Sysname-portal-local-websvr-http] quit
# Configure a local portal Web server. Use HTTPS to exchange authentication information with clients, and specify SSL server policy policy1 for HTTPS.
<Sysname> system-view
[Sysname] portal local-web-server https ssl-server-policy policy1
[Sysname-portal-local-websvr-https] quit
# Change the SSL server policy to policy2.
[Sysname] undo portal local-web-server https
[Sysname] portal local-web-server https ssl-server-policy policy2
[Sysname-portal-local-websvr-https] quit
# Configure a local portal Web server. Use HTTPS to exchange authentication information with clients, specify SSL server policy policy1 for HTTPS, and set the HTTPS service listening port number to 442.
<Sysname> system-view
[Sysname] portal local-web-server https ssl-server-policy policy1 tcp-port 442
[Sysname-portal-local-websvr-https] quit
Related commands
· default-logon-page
· portal local-web-server
· ssl server-policy
portal max-user
Use portal max-user to set the maximum number of total portal users allowed in the system.
Use undo portal max-user to restore the default.
Syntax
portal max-user max-number
undo portal max-user
Default
The total number of portal users allowed in the system is not limited.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
max-number: Specifies the maximum number of total portal users in the system. The value range for this argument is 1 to 4294967295.
Usage guidelines
If you configure the maximum total number smaller than the number of current online portal users on the device, this command still takes effect. The online users are not affected by this command, but the system forbids new portal users to log in.
This command set the maximum number of online IPv4 and IPv6 portal users in all.
Examples
# Set the maximum number of online portal users allowed in the system to 100.
<Sysname> system-view
[Sysname] portal max-user 100
Related commands
· display portal user
· portal { ipv4-max-user | ipv6-max-user }
portal nas-id profile
Use portal nas-id-profile to specify a NAS-ID profile for an interface.
Use undo portal nas-id-profile to remove the NAS-ID profile from the interface.
Syntax
portal nas-id-profile profile-name
undo portal nas-id-profile
Default
An interface is not specified with any NAS-ID profile.
Views
VLAN interface view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the name of a NAS-ID profile, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A NAS-ID profile defines the binding relationship between VLANs and NAS-IDs. To configure a NAS-ID profile, use the aaa nas-id profile command. For more information, see "AAA commands."
If an interface is specified with a NAS-ID profile, the interface prefers to use the bindings defined in the profile.
If no NAS-ID profile is specified for an interface or no matching binding is found in the specified profile, the device uses the device name as the interface NAS-ID.
Examples
# Specify NAS-ID profile aaa for VLAN-interface 2.
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] portal nas-id-profile aaa
Related commands
aaa nas-id profile
portal outbound-filter enable
Use portal [ ipv6 ] outbound-filter enable to enable outgoing packets filtering on a portal-enabled interface.
Use undo portal [ ipv6 ] outbound-filter enable to disable outgoing packets filtering on a portal-enabled interface.
Syntax
portal [ ipv6 ] outbound-filter enable
undo portal [ ipv6 ] outbound-filter enable
Default
Outgoing packets filtering is disabled. A portal-enabled interface can send any packets.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6: Specifies outgoing IPv6 packets. If you do not specify this keyword, the command is for outgoing IPv4 packets.
Usage guidelines
When you enable this feature on a portal-enabled interface, the device permits the interface to send the following packets:
· Packets whose destination IP addresses are IP addresses of authenticated portal users.
· Packets that match portal-free rules.
Other outgoing packets on the interface are dropped.
Examples
# Enable outgoing packets filtering on VLAN-interface 100.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal outbound-filter enable
Related commands
portal enable
portal roaming enable
Use portal roaming enable to enable portal roaming.
Use undo portal roaming enable to disable portal roaming.
Syntax
portal roaming enable
undo portal roaming enable
Default
Portal roaming is disabled. An online portal user cannot roam in its VLAN.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command applies only to portal users that log in from VLAN interfaces.
If portal roaming is enabled, an online portal user can access network resources from any Layer 2 port in its local VLAN. If portal roaming is disabled, the portal user can access network resources only from the Layer 2 port on which it passes authentication.
This command can be executed only when no user is online.
Examples
# Enable portal roaming.
<Sysname> system-view
[Sysname] portal roaming enable
portal server
Use portal server to create a portal authentication server and enter its view.
Use undo portal server to delete the specified portal authentication server.
Syntax
portal server server-name
undo portal server server-name
Default
No portal authentication server is configured on the device.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
In portal authentication server view, you can configure the following parameters and features for the portal authentication server:
· IP address of the server.
· MPLS L3VPN where the portal authentication server resides.
· Pre-shared key for communication between the access device and the server.
· Destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.
· Server detection feature.
You can configure multiple portal authentication servers for an access device.
Examples
# Create portal authentication server pts and enter its view.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts]
Related commands
display portal server
portal user-detect
Use portal user-detect to enable online detection of IPv4 portal users on an interface.
Use undo portal user-detect to restore the default.
Syntax
portal user-detect type { arp | icmp } [ retry retries] [ interval interval ] [ idle time ]
undo portal user-detect
Default
Online detection of IPv4 portal users is disabled on the interface.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
type: Specifies the detection type.
· arp—ARP detection.
· icmp—ICMP detection.
retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.
interval interval: Sets a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds.
idle time: Sets a user idle timeout in the range of 60 to 3600 seconds. The default is 180 seconds. When the timeout expires, online detection of IPv4 portal users is started.
Usage guidelines
If the device receives no packets from a portal user within the configured idle time, the device detects the user's online status as follows:
· ICMP detection—Sends ICMP requests to the user at configurable intervals to detect the user status.
¡ If the device receives a reply within the maximum number of detection attempts, it considers that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires.
¡ If the device receives no reply after the maximum number of detection attempts, the device logs out the user.
· ARP detection—Sends ARP requests to the user and detects the ARP entry status of the user at configurable intervals.
¡ If the ARP entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ARP entry. Then the device resets the idle timer and repeats the detection process when the timer expires.
¡ If the ARP entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user.
· Direct authentication and re-DHCP authentication support both ARP detection and ICMP detection. Cross-subnet authentication only supports ICMP detection.
If firewall policies on the access device filter out ICMP packets, ICMP detection might fail and result in the logout of portal users. Make sure the access device does not block ICMP packets before you enable ICMP detection on an interface.
Examples
# Enable online detection of IPv4 portal users on VLAN-interface 100. Configure the detection type as ARP, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal user-detect type arp retry 5 interval 10 idle 300
Related commands
display portal interface
portal web-server
Use portal web-server to create a portal Web server and enter its view.
Use undo portal web-server to delete the specified portal Web server.
Syntax
portal web-server server-name
undo portal web-server server-name
Default
No portal Web server is configured on the device.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
The portal Web server pushes portal authentication pages to portal users during authentication. The access device redirects HTTP requests of unauthenticated portal users to the portal Web server. In portal Web server view, you can configure the URL and URL parameters for the portal Web server and the portal Web server detection feature.
Examples
# Create portal Web server wbs and enter its view.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs]
Related commands
· display portal web-server
· portal apply web-server
reset portal packet statistics
Use reset portal packet statistics to clear packet statistics for portal authentication servers.
Syntax
reset portal packet statistics [ server server-name ]
Views
User view
Predefined user roles
network-admin
mdc-admin
Parameters
server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify the server server-name argument, this command clears packet statistics for all portal authentication servers.
Examples
# Clear packet statistics for portal authentication server pts.
<Sysname> reset portal packet statistics server pts
Related commands
display portal packet statistics
server-detect (portal authentication server view)
Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status.
Use undo server-detect to restore the default.
Syntax
server-detect [ timeout timeout ] { log | trap } *
undo server-detect
Default
Portal authentication server detection is disabled.
Views
Portal authentication server view
Predefined user roles
network-admin
mdc-admin
Parameters
timeout timeout: Specifies the detection timeout in the range of 10 to 3600 seconds. The default is 60 seconds.
{ log | trap } *: Specifies the action to be taken after the device detects reachability status change of the portal authentication server. You can select one of the following options or both:
· log—When reachability status of the portal authentication server changes, the device sends a log message. The log message contains the name, the original state, and the current state of the portal authentication server.
· trap—When reachability status of the portal authentication server changes, the device sends a trap message to the NMS. The trap message contains the name and the current state of the portal authentication server.
Usage guidelines
The portal authentication server detection feature is effective only when the portal authentication server supports server heartbeat. Now only the IMC portal authentication server supports server heartbeat.
If the device receives portal packets from the portal authentication server before the detection timeout expires and verifies the correctness of the packets, the device considers the portal authentication server is reachable. Otherwise, the device considers the portal authentication server is unreachable.
Examples
# Enable server detection for portal authentication server pts:
· Set the detection timeout to 600 seconds.
· Configure the device to send a log message and a trap message if the server reachability status changes.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] server-detect timeout 600 log trap
Related commands
portal server
server-detect (portal Web server view)
Use server-detect to enable portal Web server detection.
Use undo server-detect to restore the default.
Syntax
server-detect [ interval interval ] [ retry retries ] { log | trap } *
undo server-detect
Default
Portal Web server detection is disabled.
Views
Portal Web server view
Predefined user roles
network-admin
mdc-admin
Parameters
interval interval: Specifies a detection interval in the range of 10 to 1200 seconds. The default is 20 seconds.
retry retries: Specifies the maximum number of consecutive detection failures, in the range of 1 to 10. The default is 3. If the number of consecutive failed detections reaches this threshold, the device considers the server as unreachable.
{ log | trap } *: Specifies the action to be taken after the device detects reachability status change of the portal Web server. You can select one of the following options or both:
· log—When reachability status of the portal Web server changes, the device sends a log message. The log message contains the name, the original state, and the current state of the portal Web server.
· trap—When reachability status of the portal Web server changes, the device sends a trap message to the NMS. The trap message contains the name and the current state of the portal Web server.
Usage guidelines
The access device performs server detection independently. No configuration on the portal Web server is required for the detection.
Examples
# Enable server detection for portal Web server wbs:
· Set the detection interval to 600 seconds.
· Set the maximum number of consecutive detection failures to 2.
· Configure the device to send a log message and a trap massage after server reachability status changes.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] server-detect interval 600 retry 2 log trap
Related commands
portal web-server
tcp-port
Use tcp-port to configure a listening TCP port for the local portal Web server.
Use undo tcp-port to restore the default.
Syntax
tcp-port port-number
undo tcp-port
Default
The listening TCP port number for HTTP is 80 and that for HTTPS is 443.
Views
Local portal Web server view
Predefined user roles
network-admin
mdc-admin
Parameters
port-number: Specifies the listening TCP port number in the range of 1 to 65535.
Usage guidelines
To use the local portal Web server, make sure the port number in the portal Web server URL and the port number configured in this command are the same.
For successful local portal authentication, follow these guidelines:
· Do not configure the listening TCP port number for a local portal Web server as the port number used by a known protocol. For example, do not specify port numbers 21 and 23, which are used by FTP and Telnet, respectively.
· Do not configure the HTTP listening port number as the default HTTPS listening port number 443.
· Do not configure the HTTPS listening port number as the default HTTP listening port number 80.
· Do not configure the same listening port number for HTTP and HTTPS.
Examples
# Set the HTTP service listening port number to 2331 for the local portal Web server.
<Sysname> system-view
[Sysname] portal local-web-server http
[Sysname-portal-local-websvr-http] tcp-port 2331
Related commands
portal local-web-server
url
Use url to specify a URL for a portal Web server.
Use undo url to delete the URL for the portal Web server.
Syntax
url url-string
undo url
Default
No URL is specified for a portal Web server.
Views
Portal Web server view
Predefined user roles
network-admin
mdc-admin
Parameters
url-string: Specifies a URL for the portal Web server, a case-sensitive string of 1 to 256 characters.
Usage guidelines
This command specifies a URL that can be accessed through standard HTTP or HTTPS. The URL should start with http:// or https://. If the URL you specify does not start with http:// or https://, the system considers the URL begins with http:// by default.
Examples
# Configure the URL for portal Web server wbs as http://www.test.com/portal.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] url http://www.test.com/portal
Related commands
display portal web-server
url-parameter
Use url-parameter to configure the parameters carried by the URL of a portal Web server. The access device redirects a portal user by sending the URL with the parameters to the user.
Use undo url-parameter to delete the parameters carried by the URL of the portal Web server.
Syntax
url-parameter param-name { original-url | source-address | source-mac | value expression }
undo url-parameter param-name
Default
URL parameters for the portal Web server are not configured.
Views
Portal Web server view
Predefined user roles
network-admin
mdc-admin
Parameters
param-name: Specifies a URL parameter name, a case-sensitive string of 1 to 32 characters. Content of the parameter is determined by the following keyword you specify.
original-url: Specifies the URL of the original web page that a portal user visits.
source-address: Specifies the user IP address.
source-mac: Specifies the user MAC address.
value expression: Specifies a custom case-sensitive string of 1 to 256 characters.
Usage guidelines
You can configure multiple URL parameters.
If you configure a URL parameter multiple times, the most recent configuration takes effect.
After you configure the URL parameters, the access device sends the portal Web server URL with these parameters to portal users. For example, assume that the URL of a portal Web server is http://www.test.com/portal, and you execute the url-parameter userip source-address and url-parameter userurl value http://www.test.com/welcome commands. Then, the access device sends to the user whose IP address is 1.1.1.1 the URL http://www.test.com/portal?userip=1.1.1.1&userurl= http://www.test.com/welcome.
Examples
# Configure URL parameters userip and userurl for portal Web server wbs. Configure userip as source-address and userurl as value http://www.test.com/welcome.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] url-parameter userip source-address
[Sysname-portal-websvr-wbs] url-parameter userurl value http://www.test.com/welcome
Related commands
· display portal web-server
· url
user-sync
Use user-sync to enable portal user synchronization for a portal authentication server. After this feature is enabled, the device replies to and periodically detects the synchronization packets from the portal authentication server. In this way, information about online portal users on the device and on the portal authentication server remains consistent.
Use undo user-sync to restore the default.
Syntax
user-sync timeout timeout
undo user-sync
Default
Portal user synchronization is disabled for the portal authentication server.
Views
Portal authentication server view
Predefined user roles
network-admin
mdc-admin
Parameters
timeout timeout: Sets a detection timeout for synchronization packets, in the range of 60 to 18000 seconds. The default is 1200 seconds.
Usage guidelines
Portal user synchronization requires that the portal authentication server support the portal user heartbeat feature. Now, only the IMC portal authentication server supports portal user heartbeat. To implement portal user synchronization, you need to configure the user heartbeat feature on the portal authentication server. Make sure the user heartbeat interval configured on the portal authentication server is not greater than the synchronization detection timeout configured on the access device.
Deleting a portal authentication server on the device also deletes the user synchronization configuration for the server.
If you configure portal user synchronization multiple times for a portal authentication server, the most recent configuration takes effect.
For information of the users considered as nonexistent on the portal authentication server, the device deletes the information after the configured detection timeout expires.
If the user information from the portal authentication server does not exist on the device, the device encapsulates IP addresses of the users in user heartbeat reply packets to the server. The portal authentication server then deletes the users.
Examples
# Enable portal user synchronization for portal authentication server pts and set the detection timeout to 600 seconds. If a use has not appeared in the synchronization packets sent by the portal authentication server for 600 seconds, the access device logs out the user.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] user-sync timeout 600
Related commands
portal server
vpn-instance
Use vpn-instance to specify the MPLS L3VPN where a portal Web server resides.
Use undo vpn-instance to delete the MPLS L3VPN for the portal Web server.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The portal Web server is considered on the public network.
Views
Portal Web server view
Predefined user roles
network-admin
mdc-admin
Parameters
vpn-instance-name: Specifies the name of the MPLS L3VPN where the portal Web server resides, a case-sensitive string of 1 to 31 characters.
Usage guidelines
A portal Web server belongs to only one MPLS L3VPN.
Examples
# Configure the MPLS L3VPN for portal Web server wbs as abc.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] vpn-instance abc
