retransmit number: Specifies the maximum number of times the device sends probe packets to a user before it receives a reply from the user. If this number is reached but the device still receives no reply from the portal user, the device considers that the portal user offline and logs out the user. The value range for the number argument is 2 to 5.

interval interval: Specifies the interval for sending probe packets, in the range of 5 to 120, in seconds.

Usage guidelines

When this function is configured on an interface, the interface starts a probe timer (3 minutes, not configurable). If the interface has not received packets from a portal user when the probe timer expires, the device sends probe packets (ARP requests) to the portal user. If the device has not received a reply from the portal user when the maximum number of probes is reached, the device logs off the portal user. If the device receives a reply from the portal user before the maximum number of probes is reached, it stops sending probe packets and restarts the probe timer. The device repeats the process to detect whether portal users are online.

This function is available only for the direct and re-DHCP portal authentication configured on a Layer 3 interface.

Examples

# Configure the portal user detection function on VLAN-interface 100, specifying the probe packets as ARP requests, maximum number of probe attempts as 3, and probe interval as 10 seconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] access-user detect type arp retransmit 3 interval 10

display portal acl

Use display portal acl to display the ACLs on a specific interface.

Syntax

display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

all: Displays all portal ACLs, including dynamic and static portal ACLs.

dynamic: Displays dynamic portal ACLs—ACLs generated dynamically after a user passes portal authentication.

static: Displays static portal ACLs—ACLs generated through portal related configuration, such as portal-free rule configuration.

interface interface-type interface-number: Displays the ACLs on the specified interface.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display all ACLs on interface VLAN-interface 2.

<Sysname> display portal acl all interface vlan-interface 2

IPv4 portal ACL rules on Vlan-interface2:

Rule 0

Inbound interface : all

Type : static

Action : permit

Protocol : 0

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : any

MAC : 0000-0000-0000

Interface: any

VLAN : 2

Destination:

IP : 192.168.1.15

Mask : 255.255.255.255

Port : any

Rule 1

Inbound interface : all

Type : dynamic

Action : permit

Source:

IP : 8.8.8.8

Mask : 255.255.255.255

MAC : 0015-e9a6-7cfe

Interface: any

VLAN : 2

Protocol : 0

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Author ACL:

Number : 3001

Rule 2

Inbound interface : all

Type : static

Action : permit

Protocol : 0

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

MAC : 0000-0000-0000

Interface : any

VLAN : 2

SSID : abcd

Spot : 2610

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : any

Rule 3

Inbound interface : all

Type : static

Action : redirect

Protocol : 6

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : any

MAC : 0000-0000-0000

Interface: any

VLAN : 2

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : 80

Rule 4

Inbound interface : all

Type : static

Action : deny

Protocol : 0

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : any

MAC : 0000-0000-0000

Interface : any

VLAN : 2

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : any

IPv6 portal ACL rules on Vlan-interface2:

Rule 0

Inbound interface : all

Type : static

Action : permit

Source:

IP : ::

Prefix length : 0

MAC : 0000-0000-0000

Interface : any

VLAN : 2

Protocol : 0

Destination:

IP : 2::2

Prefix length : 128

Port : any

Rule 1

Inbound interface : all

Type : static

Action : redirect

Source:

IP : ::

Prefix length : 0

MAC : 0000-0000-0000

Interface : any

VLAN : 2

Protocol : 6

Destination:

IP : ::

Prefix length : 0

Port : 80

Rule 2

Inbound interface : any

Type : static

Action : deny

Source:

IP : ::

Prefix length : 0

MAC : 0000-0000-0000

Interface : any

VLAN : 2

Protocol : 0

Destination:

IP : ::

Prefix length : 0

Port : any

Table 1 Command output

Field	Description
Rule	Sequence number of the portal ACL, which is numbered from 0 in ascending order.
Inbound interface	Interface to which the portal ACL is bound.
Type	Type of the portal ACL.
Action	Match action in the portal ACL.
Protocol	Transport layer protocol number in the portal ACL.
Source	Source information in the portal ACL.
IP	Source IP address in the portal ACL.
Mask	Subnet mask of the source IP address in the portal ACL.
Prefix length	Source IPv6 address prefix in the portal ACL. Support for this field depends on the device model. For more information, see About the H3C Access Controllers Command References.
Port	Source transport layer port number in the portal ACL.
MAC	Source MAC address in the portal ACL.
Interface	Source interface in the portal ACL.
VLAN	Source VLAN in the portal ACL.
SSID	Source SSID in the portal ACL.
Spot	AP name.
Protocol	Protocol type in the portal ACL.
Destination	Destination information in the portal ACL.
IP	Destination IP address in the portal ACL.
Port	Destination transport layer port number in the portal ACL.
Mask	Subnet mask of the destination IP address in the portal ACL.
Prefix length	Destination IPv6 address prefix in the portal ACL. Support for this field depends on the device model. For more information, see About the H3C Access Controllers Command References.
Author ACL	Authorization ACL information. It is displayed only when the value of the Type field is dynamic.
Number	Authorization ACL number assigned by the RADIUS server. None indicates that the server did not assign any ACL.

display portal connection statistics

Use display portal connection statistics to display portal connection statistics on a specific interface or all interfaces.

Syntax

display portal connection statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display portal connection statistics on interface VLAN-interface 1.

<Sysname> display portal connection statistics interface vlan-interface 1

---------------Interface: Vlan-interface1-----------------------

User state statistics:

State-Name User-Num

VOID 0

DISCOVERED 0

WAIT_AUTHEN_ACK 0

WAIT_EAP_ACK 0

WAIT_AUTHOR_ACK 0

WAIT_LOGIN_ACK 0

WAIT_ACL_ACK 0

WAIT_NEW_IP 0

WAIT_USERIPCHANGE_ACK 0

ONLINE 1

WAIT_LOGOUT_ACK 0

WAIT_LEAVING_ACK 0

Message statistics:

Msg-Name Total Err Discard

MSG_AUTHEN_ACK 3 0 0

MSG_AUTHOR_ACK 3 0 0

MSG_LOGIN_ACK 3 0 0

MSG_LOGOUT_ACK 2 0 0

MSG_LEAVING_ACK 0 0 0

MSG_CUT_REQ 0 0 0

MSG_AUTH_REQ 3 0 0

MSG_LOGIN_REQ 3 0 0

MSG_LOGOUT_REQ 2 0 0

MSG_LEAVING_REQ 0 0 0

MSG_ARPPKT 0 0 0

MSG_PORT_REMOVE 0 0 0

MSG_VLAN_REMOVE 0 0 0

MSG_IF_REMOVE 6 0 0

MSG_IF_SHUT 0 0 0

MSG_IF_DISPORTAL 0 0 0

MSG_IF_UP 0 0 0

MSG_ACL_RESULT 0 0 0

MSG_AAACUTBKREQ 0 0 0

MSG_CUT_BY_USERINDEX 0 0 0

MSG_CUT_L3IF 0 0 0

MSG_IP_REMOVE 0 0 0

MSG_ALL_REMOVE 1 0 0

MSG_IFIPADDR_CHANGE 0 0 0

MSG_SOCKET_CHANGE 8 0 0

MSG_NOTIFY 0 0 0

MSG_SETPOLICY 0 0 0

MSG_SETPOLICY_RESULT 0 0 0

Table 2 Command output

Field	Description
User state statistics	Statistics on portal users.
State-Name	Name of a user state.
User-Num	Number of users in a specific state.
Message statistics	Statistics on messages.
Msg-Name	Message type.
Total	Total number of messages of a specific type.
Err	Number of erroneous messages of a specific type.
Discard	Number of discarded messages of a specific type.
MSG_AUTHEN_ACK	Authentication acknowledgment message.
MSG_AUTHOR_ACK	Authorization acknowledgment message.
MSG_LOGIN_ACK	Accounting acknowledgment message.
MSG_LOGOUT_ACK	Accounting-stop acknowledgment message.
MSG_LEAVING_ACK	Leaving acknowledgment message.
MSG_CUT_REQ	Cut request message.
MSG_AUTH_REQ	Authentication request message.
MSG_LOGIN_REQ	Accounting request message.
MSG_LOGOUT_REQ	Accounting-stop request message.
MSG_LEAVING_REQ	Leaving request message.
MSG_ARPPKT	ARP message.
MSG_PORT_REMOVE	Users-of-a-Layer-2-port-removed message.
MSG_VLAN_REMOVE	VLAN user removed message.
MSG_IF_REMOVE	Users-removed message, indicating the users on a Layer 3 interface were removed because the Layer 3 interface was removed.
MSG_IF_SHUT	Layer 3 interface shutdown message.
MSG_IF_DISPORTAL	Portal-disabled-on-interface message.
MSG_IF_UP	Layer 3 interface came up message.
MSG_ACL_RESULT	ACL deployment failure message.
MSG_AAACUTBKREQ	Message that AAA uses to notify portal to delete backup user information.
MSG_CUT_BY_USERINDEX	Force-user-offline message.
MSG_CUT_L3IF	Users-removed message, indicating the users on a Layer 3 interface were removed because they were logged out.
MSG_IP_REMOVE	User-with-an-IP-removed message.
MSG_ALL_REMOVE	All-users-removed message.
MSG_IFIPADDR_CHANGE	Interface IP address change message.
MSG_SOCKET_CHANGE	Socket change message.
MSG_NOTIFY	Notification message.
MSG_SETPOLICY	Set policy message for assigning security ACL.
MSG_SETPOLICY_RESULT	Set policy response message.

display portal free-rule

Use display portal free-rule to display information about a specific portal-free rule or all portal-free rules.

Syntax

display portal free-rule [ rule-number ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

rule-number: Specifies the number of a portal-free rule. The value range varies by device model. For more information, see About the H3C Access Controllers Command References.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about portal-free rule 1.

<Sysname> display portal free-rule 1

Rule-Number 1:

Source:

IP : 2.2.2.0

Mask : 255.255.255.0

Port : any

MAC : 0000-0000-0000

Interface : any

SSID : abcd

Spot : 2610

Vlan : 0

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : any

Protocol : 0

Table 3 Command output

Field	Description
Rule-Number	Number of the portal-free rule.
Source	Source information in the portal-free rule.
IP	Source IP address in the portal-free rule.
Mask	Subnet mask of the source IP address in the portal-free rule.
Prefix length	Source IPv6 address prefix in the portal-free rule. Support for this field depends on the device model. For more information, see About the H3C Access Controllers Command References.
Port	Source transport layer port number in the portal-free rule.
MAC	Source MAC address in the portal-free rule.
SSID	Source SSID in the portal-free rule.
Spot	AP name.
Interface	Source interface in the portal-free rule.
Vlan	Source VLAN in the portal-free rule.
Destination	Destination information in the portal-free rule.
IP	Destination IP address in the portal-free rule.
Mask	Subnet mask of the destination IP address in the portal-free rule.
Prefix length	Destination IPv6 address prefix in the portal-free rule. Support for this field depends on the device model. For more information, see About the H3C Access Controllers Command References.
Port	Destination transport layer port number in the portal-free rule.
Protocol	Transport layer protocol number in the portal-free rule.

Related commands

portal free-rule

display portal interface

Use display portal interface to display the portal configuration of an interface.

Syntax

display portal interface interface-type interface-number [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the portal configuration for interface VLAN-interface 2.

<Sysname> display portal interface vlan-interface 2

Portal configuration of Vlan-interface2

IPv4:

Status: Portal running

Portal server: servername

Portal backup-group: 1

Authentication type: Layer3

Authentication domain: my-domain

Authentication network:

Source IP: 1.1.1.1 Mask : 255.255.0.0

Portal configuration of Vlan-interface2

IPv6:

Status: Portal running

Portal server: v6pt

Portal backup-group: None

Authentication type: Direct

Authentication domain:

Authentication network:

Source IP: 4::4 Prefix length: 128

Table 4 Command output

Field	Description
Portal configuration of interface	Portal configuration on the interface.
IPv4	IPv4 portal configuration.
IPv6	IPv6 portal configuration.
Status	Status of the portal authentication on the interface: · Portal disabled—Portal authentication is disabled. · Portal enabled—Portal authentication is enabled but is not functioning. · Portal running—Portal authentication is functioning.
Portal server	Portal server referenced by the interface.
Portal backup-group	ID number of the portal group to which the interface belongs. If the interface does not belong to any portal group, None is displayed. Support for this field depends on the device model. For more information, see About the H3C Access Controllers Command References.
Authentication type	Authentication mode enabled on the interface.
Authentication domain	Mandatory authentication domain of the interface.
Authentication network	Information of the portal authentication source subnet.
Source IP	IP address of the portal authentication source subnet.
Mask	Subnet mask of the IP address of the portal authentication subnet.
Prefix length	Prefix length of the IPv6 address of the portal authentication subnet.

display portal local-server

Use display portal local-server to display configuration information about the local portal server, including the supported protocol type, the referenced SSL server policy, and the SSID binding information.

Syntax

display portal local-server [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display configuration information about the local portal server.

<Sysname> display portal local-server

Protocol: HTTPS

Server policy: policy1

Bind SSID list:

ssid1: file1.zip

ssid2: file1.zip

Table 5 Command output

Field	Description
Protocol	Protocol supported by the local portal server, HTTP or HTTPS.
Server policy	SSL server policy associated with the HTTPS service. If HTTP is configured, this field is null.
Bind SSID list	SSID binding list. If no binding entry is configured, this field is blank.

Related commands

· portal local-server

· portal local-server bind

display portal server

Use display portal server to display information about a specific portal server or all portal servers.

Syntax

display portal server [ server-name ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

server-name: Specifies a portal server by its name, a case-sensitive string of 1 to 32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about portal server aaa.

<Sysname> display portal server aaa

Portal server:

1)aaa:

IP : 192.168.0.111

Port : 50100

Key : ******

URL : http://192.168.0.111

Server Type : IMC

Status : Up

Table 6 Command output

Field	Description
1)	Number of the portal server.
aaa	Name of the portal server.
IP	IP address of the portal server.
Port	Listening port on the portal server.
Key	Shared key for exchanges between the access device and portal server. · ****** is displayed if a key is configured. · Not configured is displayed if no key is configured.
URL	Address the packets are to be redirected to. Not configured is displayed if no address is configured.
Server Type	Type of the portal server. · cmcc—H3C CMCC portal server. · iMC—H3C IMC portal server.
Status	Current status of the portal server. Possible values include: · N/A—The server is not referenced on any interface, or the server detection function is not enabled. The reachability of the portal server is unknown. · Up—The portal server is referenced on an interface and the portal server detection function is enabled, and the portal server is reachable. · Down—The portal server is referenced on an interface and the portal server detection function is enabled, but the portal server is unreachable. This field is not displayed for IPv6 portal servers, because IPv6 portal servers do not support the portal server detection function. Support for IPv6 portal servers depends on the device model. For more information, see About the H3C Access Controllers Command References.

Related commands

portal server

display portal server statistics

Use display portal server statistics to display portal server statistics on a specific interface or all interfaces.

Syntax

display portal server statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and name.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

When the all keyword is specified, the command displays portal server statistics by interface and therefore statistics about a portal server referenced by more than one interface may be displayed repeatedly.

Examples

# Display portal server statistics on VLAN-interface 3.

<Sysname> display portal server statistics interface vlan-interface 3

---------------Interface: Vlan-interface3----------------------

Invalid packets: 0

Pkt-Name Total Discard Checkerr

REQ_CHALLENGE 3 0 0

ACK_CHALLENGE 3 0 0

REQ_AUTH 3 0 0

ACK_AUTH 3 0 0

REQ_LOGOUT 1 0 0

ACK_LOGOUT 1 0 0

AFF_ACK_AUTH 3 0 0

NTF_LOGOUT 1 0 0

REQ_INFO 6 0 0

ACK_INFO 6 0 0

NTF_USERDISCOVER 0 0 0

NTF_USERIPCHANGE 0 0 0

AFF_NTF_USERIPCHANGE 0 0 0

ACK_NTF_LOGOUT 1 0 0

NTF_HEARTBEAT 0 0 0

NTF_USERSYNC 2 0 0

ACK_NTF_USERSYNC 0 0 0

NTF_CHALLENGE 0 0 0

NTF_USER_NOTIFY 0 0 0

AFF_NTF_USER_NOTIFY 0 0 0

NTF_AUTH 0 0 0

ACK_NTF_AUTH 0 0 0

REQ_QUERY_STATE 0 0 0

ACK_QUERY_STATE 0 0 0

REQ_MACBINDING_INFO 0 0 0

ACK_MACBINDING_INFO 0 0 0

NTF_USER_LOGON 0 0 0

RESERVED33 0 0 0

NTF_USER_LOGOUT 0 0 0

RESERVED35 0 0 0

PT_TYPE_REQ_USER_OFFLINE 0 0 0

Table 7 Command output

Field	Description
Interface	Interface referencing the portal server.
Invalid packets	Number of invalid packets.
Pkt-Name	Packet type.
Total	Total number of packets.
Discard	Number of discarded packets.
Checkerr	Number of erroneous packets.
REQ_CHALLENGE	Challenge request message the portal server sent to the access device.
ACK_CHALLENGE	Challenge acknowledgment message the access device sent to the portal server.
REQ_AUTH	Authentication request message the portal server sent to the access device.
ACK_AUTH	Authentication acknowledgment message the access device sent to the portal server.
REQ_LOGOUT	Logout request message the portal server sent to the access device.
ACK_LOGOUT	Logout acknowledgment message the access device sent to the portal server.
AFF_ACK_AUTH	Affirmation message the portal server sent to the access device after receiving an authentication acknowledgement message.
NTF_LOGOUT	Forced logout notification message the access device sent to the portal server.
REQ_INFO	Information request message.
ACK_INFO	Information acknowledgment message.
NTF_USERDISCOVER	User discovery notification message the portal server sent to the access device.
NTF_USERIPCHANGE	User IP change notification message the access device sent to the portal server.
AFF_NTF_USERIPCHANGE	User IP change success notification message the portal server sent to the access device.
ACK_NTF_LOGOUT	Forced logout acknowledgment message from the portal server.
NTF_HEARTBEAT	Portal heartbeat message the portal server sent to the access device.
NTF_USERSYNC	User synchronization packet the access device received from the portal server.
ACK_NTF_USERSYNC	User synchronization acknowledgment packet the access device sent to the portal server.
NTF_CHALLENGE	Challenge request the access device sent to the portal server.
NTF_USER_NOTIFY	User information notification message the access device sent to the portal server.
AFF_NTF_USER_NOTIFY	NTF_USER_NOTIFY acknowledgment message the access device sent to the portal server.
NTF_AUTH	Forced authentication notification message the portal server sent to the access device.
ACK_NTF_AUTH	NTF_AUTH acknowledgment message the access device sent to the portal server.
REQ_QUERY_STATE	User online state query message the portal server sent to the access device.
ACK_QUERY_STATE	User online state acknowledgment message the access device sent to the portal server.
REQ_MACBINDING_INFO	MAC binding query the access device sent to the MAC binding server.
ACK_MACBINDING_INFO	MAC binding query acknowledgment the MAC binding server sent to the access device.
NTF_USER_LOGON	User login notification message the access device sent to the MAC binding server.
RESERVED33	Reserved.
NTF_USER_LOGOUT	User logoff notification message the access device sent to the MAC binding server.
RESERVED35	Reserved.
PT_TYPE_REQ_USER_OFFLINE	Forced user offline request the MAC binding server sent to the access device.

display portal tcp-cheat statistics

Use display portal tcp-cheat statistics to display TCP spoofing statistics.

Syntax

display portal tcp-cheat statistics [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display TCP spoofing statistics.

<Sysname> display portal tcp-cheat statistics

TCP Cheat Statistic:

Total Opens: 0

Resets Connections: 0

Current Opens: 0

Packets Received: 0

Packets Sent: 0

Packets Retransmitted: 0

Packets Dropped: 0

HTTP Packets Sent: 0

Connection State:

SYN_RECVD: 0

ESTABLISHED: 0

CLOSE_WAIT: 0

LAST_ACK: 0

FIN_WAIT_1: 0

FIN_WAIT_2: 0

CLOSING: 0

Table 8 Command output

Field	Description
TCP Cheat Statistic	TCP spoofing statistics.
Total Opens	Total number of opened connections.
Resets Connections	Number of connections reset through RST packets.
Current Opens	Number of connections being set up.
Packets Received	Number of received packets.
Packets Sent	Number of sent packets.
Packets Retransmitted	Number of retransmitted packets.
Packets Dropped	Number of dropped packets.
HTTP Packets Sent	Number of HTTP packets sent.
Connection State	Statistics of connections in various states.
ESTABLISHED	Number of connections in ESTABLISHED state.
CLOSE_WAIT	Number of connections in CLOSE_WAIT state.
LAST_ACK	Number of connections in LAST-ACK state.
FIN_WAIT_1	Number of connections in FIN_WAIT_1 state.
FIN_WAIT_2	Number of connections in FIN_WAIT_2 state.
CLOSING	Number of connections in CLOSING state.

display portal user

Use display portal user to display information about portal users on a specific interface or all interfaces.

Syntax

display portal user { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and name.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about portal users on all interfaces.

<Sysname> display portal user all

Index:2

State:ONLINE

SubState:NONE

ACL:NONE

Work-mode:Stand-alone

MAC IP Vlan Interface

---------------------------------------------------------------------

000d-88f8-0eab 2.2.2.2 1 Vlan-interface1

Index:3

State:ONLINE

SubState:NONE

ACL:3000

Work-mode:Primary

MAC IP Vlan Interface

---------------------------------------------------------------------

000d-88f8-0eac 3.3.3.3 2 Vlan-interface2

Total 2 user(s) matched, 2 listed.

Table 9 Command output

Field	Description
Index	Index of the portal user.
State	Current status of the portal user.
SubState	Current sub-status of the portal user.
ACL	Authorization ACL of the portal user.
Work-mode	User's working mode: · Primary. · Secondary. · Stand-alone.
MAC	MAC address of the portal user.
IP	IP address of the portal user.
Vlan	VLAN to which the portal user belongs.
Interface	Interface to which the portal user is attached.
Total 2 user(s) matched, 2 listed	Total number of portal users.

display web-redirect user

Use display web-redirect user to display information about Web redirect users (users redirected by the Web redirect function).

Syntax

display web-redirect user [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about Web redirect users.

<Sysname> display web-redirect user

Total users: 14

IP Status Aging Interface

18.18.0.2 authorized 85872 Vlan-interface2

18.18.1.26 authorized 86396 Vlan-interface2

18.18.1.27 authorized 86396 Vlan-interface2

18.18.1.28 authorized 86396 Vlan-interface2

18.18.1.29 authorized 86396 Vlan-interface2

18.18.1.30 authorized 86396 Vlan-interface2

18.18.0.95 authorized 86396 Vlan-interface2

18.18.0.96 authorized 86396 Vlan-interface6

18.18.0.97 authorized 86396 Vlan-interface6

18.18.0.98 authorized 86396 Vlan-interface6

18.18.0.99 authorized 86396 Vlan-interface6

18.18.0.100 authorized 86396 Vlan-interface6

18.18.0.101 unauthorized 86396 Vlan-interface6

Table 10 Command output

Field	Description
IP	IP address of the redirected user.
Status	Status of the redirected user: · authorized—The user is authorized to access the network. · unauthorized—The user is unauthorized and cannot access the network. When the user accesses the network, it is redirected to the Web redirection URL (configured by the web-redirect command).
Aging	Aging time for the redirected user, in seconds.
Interface	Network access interface of the redirected user.

portal audit

Use portal audit to set the interval for sending portal user online behavior logs to the log server and the maximum number of logs to be sent in each interval.

User undo portal audit to restore the default.

Syntax

portal audit { interval interval | count number } *

undo portal audit { interval interval | count number } *

Default

By default, the device sends a maximum of 50 portal user online behavior logs to the log server every three seconds.

Views

System view

Default command level

2: System level

Parameters

interval interval: Specifies the interval for sending portal user online behavior logs to the log server, in seconds. The value range for the interval argument is 1 to 120.

count number: Specifies the maximum number of portal user online behavior logs to be sent to the log server in each interval. The value range for the number argument is 1 to 500.

Examples

# Configure the device to send a maximum of 100 portal user online behavior logs to the log server every 1 second.

<Sysname> system-view

[Sysname] portal audit timer 1 count 100

portal audit enable

Use portal audit enable to enable online behavior logging for portal users.

User undo portal audit enable to restore the default.

Syntax

portal audit enable

undo portal audit enable

Default

By default, online behavior logging is disabled for portal users.

Views

System view

Default command level

2: System level

Examples

# Enable online behavior logging for portal users.

<Sysname> system-view

[Sysname] portal audit enable

portal auth-network

Use portal auth-network to configure a portal authentication source subnet on an interface.

Use undo portal auth-network to remove a specific portal authentication source subnet or all portal authentication subnets.

Syntax

portal auth-network { ipv4-network-address { mask-length | mask } | ipv6 ipv6-network-address prefix-length }

undo portal auth-network { ipv4-network-address | all | ipv6 ipv6-network-address }

Default

The portal authentication source IPv4 subnet is 0.0.0.0/0 and source IPv6 subnet is ::/0, meaning that users in all subnets must pass portal authentication.

Views

Interface view

Default command level

2: System level

Parameters

ipv4-network-address: Specifies an authentication source subnet by its IPv4 address.

mask-length: Specifies the length of the subnet mask, in the range of 0 to 32.

mask: Specifies the subnet mask, in dotted decimal notation.

ipv6 ipv6-network-address: Specifies an authentication source subnet by its IPv6 address. Support for this option depends on the device model. For more information, see About the H3C Access Controllers Command References.

prefix-length: Specifies the IPv6 address prefix length in the range of 0 to 128.

all: Specifies all authentication source subnets.

Usage guidelines

You can use this command to configure multiple portal authentication source subnets on an interface. Then, only HTTP packets from the subnets can trigger portal authentication on the interface. If an unauthenticated user is not on any authentication source subnet, the access device discards all the user's HTTP packets that do not match any portal-free rule.

This command is only applicable for cross-subnet authentication (layer3). The portal authentication source subnet for direct authentication (direct) can be any source IP address, and the portal authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP address of the interface connecting the users.

You can configure up to 32 authentication source subnets by executing the portal auth-network command.

Examples

# Configure a portal authentication source subnet of 10.10.10.0/24 on interface VLAN-interface 2 to allow users from subnet 10.10.10.0/24 to trigger portal authentication.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname–Vlan-interface2] portal auth-network 10.10.10.0 24

portal backup-group

Use portal backup-group to specify the portal group to which the interface belongs.

Use undo portal backup-group to restore the default.

Syntax

portal backup-group group-id

undo portal backup-group

Default

A portal service backup interface does not belong to any portal group.

Views

Interface view

Default command level

2: System level

Parameters

group-id: Specifies a portal group by its ID, in the range of 1 to 256.

Usage guidelines

The portal service backup interfaces in the same portal group back up the portal user data of each other.

In a stateful failover networking environment, with portal service backup configured, the source backup device sends the portal user data from the local portal service backup interface to the corresponding portal service backup interface on the destination backup device, which then saves the data. This command is used to associate the specified portal service backup interfaces on the two devices.

In this document, an interface for backing up portal services is called portal service backup interface, which is different from the stateful failover interface for backing up service data and transmitting state negotiation packets.

After an interface on a device is added to a portal group, the other interfaces on the device cannot be added to the portal group.

On two devices that backup each other, the portal service backup interface on both devices must be up and belong to the same portal group and enabled with portal authentication; otherwise, user data on the two portal service backup interfaces cannot be synchronized.

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

Examples

# In the stateful failover networking environment, add the portal service backup interface VLAN-interface 1 to portal group 1 on the source backup device.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] portal backup-group 1

On the peer device (destination backup device), you must also add the corresponding service backup interface in to portal group 1.

portal control-mode

Use portal control-mode to specify the control mode for portal user packets.

Use undo portal control-mode to restore the default.

Syntax

portal control-mode { mac | ip-mac }

undo portal control-mode

Default

The IP+MAC control mode is used.

Views

Interface view

Default command level

2: System level

Parameters

mac: Specifies the MAC control mode. In this mode, the device allows a packet to pass the interface if the MAC address of the packet is the same as that of a portal authenticated user.

ip-mac: Specifies the IP+MAC control mode. In this mode, the device allows a packet to pass the interface if both the MAC and IP addresses of the packet are the same as those of a portal authenticated user.

Usage guidelines

In MAC control mode, after an IPv4 or IPv6 portal user passes portal authentication on an interface, both IPv4 and IPv6 packets of the user can pass the interface.

In IP+MAC control mode, after an IPv4 portal user passes portal authentication on an interface, only the IPv4 packets of the user can pass the interface. After an IPv6 portal user passes portal authentication on an interface, only the IPv6 packets of the user can pass the interface.

Follow these guidelines when you use the command on an interface:

· This function takes effect only to direct and re-DHCP Layer 3 portal authentication.

· After portal authentication is enabled on the interface, you cannot change the control mode for portal user packets.

Examples

# Specify the control mode as MAC for portal user packets.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] portal control-mode mac

Related commands

portal server method

portal delete-user

Use portal delete-user to log off portal users.

Syntax

portal delete-user { ipv4-address | all | interface interface-type interface-number | ipv6 ipv6-address }

Views

System view

Default command level

2: System level

Parameters

ipv4-address: Logs off the portal user with the specified IPv4 address.

all: Logs off all portal users.

interface interface-type interface-number: Logs off all IPv4 and IPv6 portal users on the specified interface.

ipv6 ipv6-address: Logs off the portal user with the specified IPv6 address. Support for this option depends on the device model. For more information, see About the H3C Access Controllers Command References.

Examples

# Log out the portal user whose IP address is 1.1.1.1.

<Sysname> system-view

[Sysname] portal delete-user 1.1.1.1

Related commands

display portal user

portal device-id

Use portal device-id to specify the device ID.

Use undo portal device-id to restore the default.

Syntax

portal device-id id-value

undo portal device-id

Default

A device is not configured with a device ID.

Views

System view

Default command level

2: System level

Parameters

id-value: Device ID of the device, a case-sensitive string of 1 to 63 characters. This value is used as the value of the device ID parameter carried in the redirection URL to be sent to the clients.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

If the type of the portal server specified for Layer 3 portal authentication is CMCC, you must specify the device ID.

Examples

# Set the device's device ID to 0002.0010.100.00.

<Sysname> system-view

[Sysname] portal device-id 0002.0010.100.00

After this configuration, the redirection URL sent from the device to client 10.1.2.34 is http://www.portal.com?wlanuserip=10.1.2.34&wlanacname=0002.0010.100.00.

Related commands

portal server

portal domain

Use portal domain to specify an authentication domain for portal users on an interface.

Use undo portal domain to delete the authentication domain specified for portal users.

Syntax

portal domain [ ipv6 ] domain-name

undo portal domain [ ipv6 ]

Default

No authentication domain is specified for portal users on an interface.

Views

Interface view

Default command level

2: System level

Parameters

ipv6: Specifies IPv6 portal users. If you do not specify the ipv6 keyword, the command is for IPv4 portal users. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain specified by this argument must already exist.

Usage guidelines

After you configure this command, the device uses the authentication domain for authentication, authorization and accounting (AAA) of the portal users on the interface.

Examples

# Configure the authentication domain for IPv4 portal users on VLAN-interface 100 as my-domain.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal domain my-domain

Related commands

display portal interface

portal forbidden-rule

Use portal forbidden-rule to configure a portal-forbidden rule and specify the forbidden resource to access.

Use undo portal forbidden-rule to remove a portal-forbidden rule or all portal-forbidden rules.

Syntax

portal forbidden-rule rule-number [ source wlan ssid ssid-name [ hotspot hotspot-name ] ] destination { ip { hostname | ip-address [ mask { mask-length | netmask } ] } | { { tcp | udp } port-number } } *

undo portal forbidden-rule rule-number

Views

System view

Default command level

2: System level

Parameters

rule-number: Specifies a number for the portal-forbidden rule. The value range varies by device model. For more information, see About the H3C Access Controllers Command References.

source: Specifies the access source for the portal-forbidden rule. Access from the specified source will be forbidden.

wlan ssid ssid-name: Specifies an SSID by its name, a case-insensitive string of 1 to 32 characters.

hotspot hotspot-name: Specifies a hotspot by its name, a case-insensitive string of 1 to 63 characters.

destination ip: Specifies a destination resource for the portal-forbidden rule

hostname: Specifies a domain name for the portal-forbidden rule.

ip-address: Specifies an IP address for the portal-forbidden rule.

mask { mask-length | netmask }: Specifies a mask or mask length for the IP address. The mask argument is a subnet mask in dotted decimal notation. The mask-length argument is a subnet mask length, an integer in the range of 0 to 32.

tcp port-number: Specifies a TCP port number in the range of 0 to 65535.

udp port-number: Specifies a UDP port number in the range of 0 to 65535.

Usage guidelines

You can create or remove a portal-forbidden rule, but cannot modify a portal-forbidden rule.

Examples

# Configure a portal-forbidden rule, denying any packet whose destination domain name is www.xyz.com.

<Sysname> system-view

[Sysname] portal forbidden-rule 10 destination ip www.xyz.com

# Configure a portal-forbidden rule, denying any packet whose destination TCP port number is 80.

<Sysname> system-view

[Sysname] portal forbidden-rule 13 destination tcp 80

# Configure a portal-forbidden rule, denying any packet whose destination IP address is 2.2.2.2/24.

<Sysname> system-view

[Sysname] portal forbidden-rule 14 destination ip 2.2.2.2 mask 32

portal forwarding-mode

Use portal forwarding-mode local to enable the local forwarding mode for authenticated portal users.

Use undo portal forwarding-mode to restore the default.

Syntax

portal forwarding-mode local

undo portal forwarding-mode

Default

APs send traffic of portal users to the AC and the AC forwards the user traffic.

Views

Interface view

Default command level

2: System level

Usage guidelines

When the local forwarding mode is enabled, the AC performs portal authentication on portal users. After the portal users pass the authentication, the APs directly forward traffic of the portal users.

Examples

# Enable local forwarding for traffic from authenticated portal users on VLAN-interface 1.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] portal forwarding-mode local

portal free-rule

Use portal free-rule to configure a portal-free rule and specify the source filtering condition, destination filtering condition, or both.

Use undo portal free-rule to remove a specific portal-free rule or all portal-free rules.

Syntax

portal free-rule rule-number { destination { any | ip { ipv4-address mask { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | ipv6 { ipv6-address prefix-length | any } | hostname hostname } | source { any | [ { interface interface-type interface-number | wlan ssid ssid [ spot spot ] } | ip { ipv4-address mask { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | ipv6 { ipv6-address prefix-length | any } | mac mac-address | vlan vlan-id ] * } } *

undo portal free-rule { rule-number | all }

Views

System view

Default command level

2: System level

Parameters

rule-number: Specifies a portal-free rule by its number. The value range varies by device model. For more information, see About the H3C Access Controllers Command References.

any: Imposes no limitation on the previous keyword.

ip ipv4-address: Specifies an IPv4 address for the portal-free rule.

mask { mask-length | mask }: Specifies a mask or mask length for the IP address. The mask argument is a subnet mask in dotted decimal notation. The mask-length argument is a subnet mask length, an integer in the range of 0 to 32.

ipv6 ipv6-address: Specifies an IPv6 address for the portal-free rule. Support for this option depends on the device model. For more information, see About the H3C Access Controllers Command References.

prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.

tcp tcp-port-number: Specifies a TCP port number in the range of 0 to 65535. Support for this option depends on the device model. For more information, see About the H3C Access Controllers Command References.

udp udp-port-number: Specifies a UDP port number in the range of 0 to 65535. Support for this option depends on the device model. For more information, see About the H3C Access Controllers Command References.

hostname hostname: Specifies an IPv4 domain name, which can be accessed by unauthenticated users.

interface interface-type interface-number: Specifies a source interface.

wlan ssid ssid: Specifies an SSID, a case-insensitive string of 1 to 32 characters. Support for this option depends on the device model. For more information, see About the H3C Access Controllers Command References.

spot spot: Specifies an AP name, a case-sensitive string of 1 to 63 characters.

mac mac-address: Specifies a source MAC address in the format H-H-H.

vlan vlan-id: Specifies a source VLAN ID.

all: Specifies all portal-free rules.

Usage guidelines

If you specify both a source IPv4 address and a source MAC address in a portal-free rule, the IP address must be a host address with a 32-bit mask. Otherwise, the specified MAC address does not take effect.

If you specify both a source IPv6 address and a source MAC address in a portal-free rule, the IPv6 address must be a host address with a 128-bit prefix. Otherwise, the specified MAC address does not take effect.

If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. Otherwise, the rule does not take effect.

If you specify both a source port number and a destination port number for a portal-free rule, the source and destination port numbers must belong to the same transport layer protocol.

You cannot configure a portal-free rule to have the same filtering criteria as that of an existing one. When attempted, the system prompts that the rule already exists.

No matter whether portal authentication is enabled on an interface, you can only add or remove a portal-free rule, rather than modifying it.

A Layer 2 interface in an aggregation group cannot be specified as the source interface of a portal-free rule, and the source interface of a portal-free rule cannot be added to an aggregation group.

To configure a portal-free rule based on source SSID and AP name, specify the spot spot option.

Examples

# Configure a portal-free rule, allowing any packet whose source IP address is 10.10.10.1/24 and source interface is GigabitEthernet 1/0/1 to bypass portal authentication.

<Sysname> system-view

[Sysname] portal free-rule 15 source ip 10.10.10.1 mask 24 interface gigabitethernet 1/0/1 destination ip any

# Configure a portal-free rule, allowing any packet whose SSID is test and AP name is sp1 to bypass portal authentication.

<Sysname> system-view

[Sysname] portal free-rule 15 source wlan ssid test spot sp1

# Configure a portal-free rule, allowing any packet to access http://www.xyz.com without portal authentication.

<Sysname> system-view

[Sysname] portal free-rule 10 destination hostname http://www.xyz.com

Related commands

display portal free-rule

portal host-check

Use portal host-check to enable host identity check through DHCP snooping entries or IP-MAC binding entries. Only the portal users whose host information exists in the DHCP snooping entries or IP-MAC binding entries are allowed to continue portal authentication.

Use undo portal host-check to disable host identity check through DHCP snooping entries or IP-MAC binding entries.

Syntax

portal host-check { dhcp-snooping | wlan }

undo portal host-check { dhcp-snooping | wlan }

Default

By default, the device performs host identity check through ARP entries.

Views

System view

Default command level

2: System level

Parameters

dhcp-snooping: Performs host identity check through DHCP snooping entries.

wlan: Performs host identity check through IP-MAC binding entries.

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

You can use the display wlan client source binding command to display IP-MAC binding entries. For more information about this command, see source IP address verification commands.

Examples

# Enable host identity check through DHCP snooping entries.

<Sysname> system-view

[Sysname] portal host-check dhcp-snooping

portal https-redirect ssl-server-policy

Use portal https-redirect ssl-server-policy to specify an SSL server policy for HTTPS redirection.

User undo portal https-redirect ssl-server-policy to restore the default.

Syntax

portal https-redirect ssl-server-policy policy-name

undo portal https-redirect ssl-server-policy

Default

By default, no SSL server policy is specified for HTTPS redirection. The device does not redirect HTTPS requests from portal users.

Views

System view

Default command level

2: System level

Parameters

policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 16 characters.

Usage guidelines

You must specify an existing SSL server policy.

If the specified SSL server policy changes or the required certificate for the SSL server changes, you need to respecify the SSL server policy for portal HTTPS redirection. To specify a new SSL server policy, you must first execute the undo form of the command and then specify the new SSL server policy.

Examples

# Specify SSL server policy test for HTTPS redirection.

<Sysname> system-view

[Sysname] ssl server-policy test

[Sysname] portal https-redirect ssl-server-policy test

portal local-server

Use portal local-server to configure the protocol type to be supported by the local portal server and load the default authentication page file.

Use undo portal local-server to cancel the configuration.

Syntax

portal local-server { http | https server-policy policy-name }

undo portal local-server { http | https }

Default

The local portal server does not support any protocol type.

Views

System view

Default command level

2: System level

Parameters

http: Specifies that the local portal server use HTTP to exchange authentication packets with clients.

https: Specifies that the local portal server use HTTPS to exchange authentication packets with clients.

server-policy policy-name: Specifies the SSL server policy to be associated with the HTTPS service. policy-name indicates an SSL server policy name, a case-insensitive string of 1 to 16 characters.

Usage guidelines

When executing this command, the local portal server loads the default authentication page file, which is supposed to be saved in the root directory of the device. To make sure that the local portal server uses the user-defined default authentication pages, edit and save them properly before executing this command. Otherwise, the system default authentication pages are used.

If you specify HTTP in this command, the redirection URL for HTTP packets is in the format of http://IP address of the device/portal/logon.htm, and clients and the portal server exchange authentication information through HTTP.

If you specify HTTPS in this command, the redirection URL for HTTP packets is in the format of https://IP address of the device/portal/logon.htm, and clients and the portal server exchange authentication information through HTTPS.

You cannot remove an SSL server policy using the undo ssl server-policy command if the policy has been referenced by the HTTPS service.

On the device, all the SSL server policies referenced by the HTTPS service must be the same.

If an online portal user exists on the device, you cannot remove or change the configured protocol type, or modify the SSL server policies referenced.

To change the SSL server policy referenced by HTTPS service, you must cancel the HTTPS configuration using the undo portal local-server https command, and then specify the desired SSL server policy.

Examples

# Configure the local portal server to support HTTP.

<Sysname> system-view

[Sysname] portal local-server http

# Configure the local portal server to support HTTPS and reference SSL server policy policy1, which has been configured already.

<Sysname> system-view

[Sysname] portal local-server https server-policy policy1

# Change the referenced SSL server policy to policy2.

[Sysname] undo portal local-server https

[Sysname] portal local-server https server-policy policy2

Related commands

· display portal local-server

· ssl server-policy

portal local-server bind

Use portal local-server bind to configure a binding between one or more SSIDs and an authentication page file. According to the configuration, the local portal server pushes the authentication pages of the specified file to the specified SSID clients.

Use undo portal local-server bind to cancel the binding between the customized page file and the specified or all SSIDs.

Syntax

portal local-server bind ssid ssidname&<1-10> file filename

undo portal local-server bind { ssid ssidname&<1-10> | all }

Default

No binding is configured.

Views

System view

Default command level

2: System level

Parameters

ssid ssidname&<1-10>: Specifies the SSIDs to be bound. The ssidname argument indicates the identifier of an SSID service template, a case-insensitive string of 1 to 32 characters. An SSID string can contain letters, numerals, and spaces, but cannot include spaces at the beginning or end of the string and cannot be f, fi, fil, or file. &<1-10> indicates that you can specify one to ten SSIDs.

file filename: Specifies the file to be bound. The filename argument indicates the name of a customized authentication page file, excluding the path. filename is a string of 1 to 91 characters, and can contain letters, numerals, and underscores. You can edit authentication page files and save them in the portal directory under the root directory of the access device.

all: Specifies all the bound SSIDs.

Usage guidelines

When a user accesses the portal page, if no SSID-to-customized page file binding is configured on the device, the local portal server pushes the default authentication pages to the client; if there is such a binding is configured on the device, the local portal server pushes the corresponding authentication pages to the client based on the customized page file that is bound with the SSID of the user logon interface.

If the name or contents of the file in a binding entry are changed, you must re-configure the binding.

To modify a binding, simply re-execute the portal local-server bind command, without canceling the existing binding.

If you bind the same SSID to different authentication page files, the last binding takes effect.

Up to 128 binding entries are allowed on the device.

Examples

# Bind SSID1 and SSID2 to the customized authentication page file named file12.zip.

<Sysname> system-view

[Sysname] portal local-server bind ssid ssid1 ssid2 file file12.zip

Related commands

display portal local-server

portal log packet

Use portal log packet to enable logging for portal packets.

Use undo portal max-user to disable logging for portal packets.

Syntax

portal log packet

undo portal log packet

Default

The portal packet logging function is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable logging for portal packets.

<Sysname> system-view

[Sysname] portal log packet

portal mac-trigger binding-retry

Use portal mac-trigger binding-retry to set the maximum number of attempts for transmitting a MAC binding query to the MAC binding server and the transmission interval.

Use undo portal mac-trigger binding-retry to restore the default.

Syntax

portal mac-trigger binding-retry retry-times interval interval-value

undo portal mac-trigger binding-retry

Default

The maximum number of transmission attempts is 3, and the transmission interval is 1 second.

Views

Interface view

Default command level

2: System level

Parameters

binding-retry retry-times: Sets the maximum number of attempts for transmitting a MAC binding query to the MAC binding server. The value range for the retry-times argument is 1 to 10.

interval interval-value: Sets the transmission interval in seconds. The value range for the interval-value argument is 1 to 60.

Examples

# Set the maximum number of attempts for transmitting a MAC binding query to 5, and the transmission interval is 2 seconds.

<Sysname> system-view

[Sysname] interface vlan-interface 10

[Sysname-Vlan-interface10] portal mac-trigger binding-retry 5 interval 2

Related commands

· portal mac-trigger enable

· portal mac-trigger server

· portal server

· portal server method

portal mac-trigger enable

Use portal mac-trigger enable to enable MAC-based quick portal authentication (also referred to as MAC-triggered authentication) on an interface.

Use undo portal mac-trigger enable to restore the default.

Syntax

portal mac-trigger enable [ period period-value ] [ threshold threshold-value ]

undo portal mac-trigger enable

Default

MAC-triggered authentication is disabled.

Views

Interface view

Default command level

2: System level

Parameters

period period-value: Specifies the interval at which the access device collects statistics for user traffic. The value range for the period-value argument is 60 to 7200 seconds, and the default is 300 seconds.

threshold threshold-value: Specifies the traffic threshold that triggers MAC-based quick portal authentication. The value range for the threshold-value argument is 0 to 10240000 bytes, and the default is 0. A value of 0 means that the device performs MAC-based quick portal authentication for a portal user as long as the user accesses the network, and only allows the traffic that is permitted by portal-free rules before the user passes the authentication. A bigger threshold means that more traffic is allowed before authentication. Set a proper threshold as needed.

Usage guidelines

The access device checks portal user traffic in real time. In one statistical interval, a user can access the external network before the user's traffic reaches the threshold. When the user's traffic reaches the threshold, the device triggers MAC-based quick portal authentication for the user. If the user passes the authentication, the user can continue accessing the network, the statistics are cleared, and a new statistical interval starts. If the user fails the authentication, the user cannot access the network in the current interval, the statistics are cleared when the interval expires, and a new statistical interval starts.

To enable MAC-triggered authentication, you must compete the following tasks:

· Complete basic Layer 3 portal authentication configuration.

· Specify the IP address and port number of a MAC binding server.

· Enable MAC-triggered authentication on the interface enabled with Layer 3 portal authentication.

· Use portal server to specify the MAC binding server's IP address as the portal server's IP address, and specify any name for the portal server. You do not need to specify other parameters in the portal server command.

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

Examples

# Enable MAC-triggered authentication on VLAN-interface 1, specify the traffic inspection interval as 300 seconds, and specify the traffic threshold as 10240 bytes.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] portal mac-trigger enable period 300 threshold 10240

Related commands

· portal mac-trigger server

· portal server method

· portal server

portal mac-trigger exclude-attribute

Use portal mac-trigger exclude-attribute to exclude an attribute from portal protocol packets

User undo portal mac-trigger exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

portal mac-trigger exclude-attribute attribute-number

undo portal mac-trigger exclude-attribute attribute-number

Default

No attributes are excluded from portal protocol packets.

Views

System view

Default command level

2: System level

Parameters

attribute-number: Specifies an attribute by its number in the range of 1 to 255.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. During MAC-trigger authentication, the device and the server cannot communicate if the device sends the portal authentication server a packet that contains an attribute unsupported by the server.

To address this issue, you can configure this command to exclude the unsupported attributes from portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes.

Table 11 describes all attributes of the portal protocol.

Table 11 Portal attributes

Name	Number	Description
UserName	1	Name of the user to be authenticated.
PassWord	2	User password in plaintext form.
Challenge	3	Random challenge for CHAP authentication.
ChapPassWord	4	CHAP password encrypted by MD5.
TextInfo	5	The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server.
UpLinkFlux	6	Uplink (output) traffic of the user.
DownLinkFlux	7	Downlink (input) traffic of the user.
Port	8	Port information.
IP-Config	9	This attribute has different meanings in different types of packets. · The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP. · The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.
BAS-IP	10	IP address of the access device. For re-DHCP portal authentication, the value of this attribute is the public IP address of the access device.
Session-ID	11	Identification of a portal user. Generally, the value of this attribute is the MAC address of the portal user.
Delay-Time	12	Delay time for sending a packet. This attributes exists in NTF_LOGOUT (Type=0x08) packets.
User-List	13	List of IP addresses of an IPv4 portal user.
EAP-Message	14	An EAP attribute that needs to be transported transparently. This attribute is applicable to EAP TLS authentication. Multiple EAP-Message attributes can exist in a portal authentication packet.
User-Notify	15	Value of the hw_User_Notify attribute in a RADIUS accounting response. This attribute needs to be transported transparently.
SSID	30	SSID of the portal user.
NAS-ID	48	NAS-ID of the portal user.
NAS-Port-ID	80	NAS-Port-ID of the portal user.
BAS-IPv6	100	IPv6 address of the access device.
UserIPv6-List	101	List of IPv6 addresses of an IPv6 portal user.

Examples

# Exclude the BAS-IP attribute (number 10) from portal packets.

<Sysname> system-view

[Sysname] portal mac-trigger exclude-attribute 10

portal mac-trigger nas-port-type

Use portal mac-trigger nas-port-type to configure the NAS-Port-Type value carried in RADIUS accounting requests that an interface sends for MAC-triggered authentication users.

Use undo portal mac-trigger nas-port-type to restore the default.

Syntax

portal mac-trigger nas-port-type value

undo portal mac-trigger nas-port-type

Default

The port type determines the NAS-Port-Type value.

Views

Interface view

Default command level

2: System level

Parameters

value: Specifies a NAS-Port-Type value in the range of 1 to 255. This value is proprietarily defined.

Examples

# Configure the NAS-Port-Type value as 30 for RADIUS accounting requests that VLAN-interface 3 sends for MAC-triggered authentication users.

<Sysname> system-view

[Sysname] interface Vlan-interface 3

[Sysname-Vlan-interface3] portal mac-trigger nas-port-type 30

portal mac-trigger server

Use portal mac-trigger server to specify a MAC binding server.

Use undo portal mac-trigger server to restore the default.

Syntax

portal mac-trigger server ip ip-address [ port port-number ]

undo portal mac-trigger server

Default

No MAC binding server is specified.

Views

System view, interface view

Default command level

2: System level

Parameters

ip ip-address: Specifies the IPv4 address of a MAC binding server.

port port-number: Specifies the UDP port number that the MAC binding server uses to listen to the MAC binding requests from the access device. The value range for the port-number argument is 1 to 65534, and the default is 50100.

Usage guidelines

A MAC binding server records MAC-to-account information for portal users. When the MAC binding server receives a MAC binding query from the access device, it checks whether the MAC address has a match. If yes, the MAC binding server obtains the user's account information, and sends the user's username and password to the portal server for portal authentication.

The MAC binding server configured on an interface takes priority over the MAC binding server configured in system view.

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

Examples

# Specify the MAC binding server whose IP address is 2.2.2.2 and port number is 50111.

<Sysname> system-view

[Sysname] portal mac-trigger server ip 2.2.2.2 port 50111

Related commands

portal mac-trigger enable

portal max-user

Use portal max-user to set the maximum number of online portal users allowed in the system.

Use undo portal max-user to restore the default.

Syntax

portal max-user max-number

undo portal max-user

Default

The maximum number of portal users allowed depends on the device model.

Views

System view

Default command level

2: System level

Parameters

max-number: Specifies the maximum number of online portal users allowed in the system. The value range and default value vary with the device model. For more information, see About the H3C Access Controllers Command References.

Usage guidelines

If the maximum number of portal users specified in the command is less than that of the current online portal users, the command can be executed successfully and does not impact the online portal users, but the system does not allow new portal users to log in until the number drops down below the limit.

Examples

# Set the maximum number of portal users allowed in the system to 100.

<Sysname> system-view

[Sysname] portal max-user 100

portal nas-id

Use portal nas-id to specify the NAS ID value carried in a RADIUS request.

Use undo portal nas-id to restore the default.

Syntax

portal nas-id nas-id

undo portal nas-id

Default

The device name specified through the sysname command is used as the NAS ID of a RADIUS request. For information about the sysname command, see Fundamentals Command Reference.

Views

Interface view, system view

Default command level

2: System level

Parameters

nas-id: NAS ID, a case-sensitive string of 1 to 63 characters. This value is used as the value of the NAS-Identifier attribute in the RADIUS request to be sent to the RADIUS server when a portal user logs on from an interface.

Usage guidelines

You can specify the NAS-identifier attribute value to be carried in a RADIUS request in system view or interface view. The device prefers the value specified in interface view. If no NAS ID is configured for the interface, the device uses the NAS ID configured in system view.

Examples

# Specify the NAS ID of a RADIUS request to be sent on VLAN-interface 2 as 0002053110000460.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal nas-id 0002053110000460

portal nas-id-profile

Use portal nas-id-profile to specify a NAS ID profile for the interface.

Use undo portal nas-id-profile to cancel the configuration.

Syntax

portal nas-id-profile profile-name

undo portal nas-id-profile

Default

An interface is not specified with any NAS ID profile.

Views

Interface view

Default command level

2: System level

Parameters

profile-name: Specifies the name of the profile that defines the binding relationship between VLANs and NAS IDs. It is a case-insensitive string of 1 to 16 characters. You can configure the profile by using the aaa nas-id profile command.

Usage guidelines

If an interface is specified with a NAS ID profile, the interface prefers to use the binding defined in the profile. If no NAS ID profile is specified for an interface or no matching binding is found in the specified profile:

· If a NAS ID is configured using the portal nas-id command, the device uses the configured NAS ID as that of the interface.

· If the interface has no NAS ID configured, the device uses the device name as the interface NAS ID.

Examples

# Specify NAS ID profile aaa for VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal nas-id-profile aaa

portal nas-ip

Use portal nas-ip to configure an interface to use a specific source IP address for outgoing portal packets.

Use undo portal nas-ip to delete the specified source IP address. If you do not specify the ipv6 keyword, this command deletes the specified source IPv4 address.

Syntax

portal nas-ip { ipv4-address | ipv6 ipv6-address }

undo portal nas-ip [ ipv6 ]

Default

No source IP address is specified for outgoing portal packets on an interface, and the interface uses the IP address of the user access interface as the source IP address for outgoing portal packets.

Views

Interface view

Default command level

2: System level

Parameters

ipv4-address: Specifies a source IPv4 address for outgoing portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

ipv6 ipv6-address: Specifies a source IPv6 address for outgoing portal packets. This IPv6 address must be a local IPv6 address, but cannot be a multicast address, an all 0 address, or a link-local address. Support for this option depends on the device model. For more information, see About the H3C Access Controllers Command References.

Examples

# Configure interface VLAN-interface 5 to use 2.2.2.2 as the source IPv4 address for outgoing portal packets.

<Sysname> system-view

[Sysname] interface vlan-interface 5

[Sysname-Vlan-interface5] portal nas-ip 2.2.2.2

portal nas-port-id

Use portal nas-port-id to specify the NAS-Port-ID value carried in a RADIUS request.

Use undo portal nas-port-id to restore the default.

Syntax

portal nas-port-id nas-port-id-value

undo portal nas-port-id

Default

No NAS-Port-ID value is specified for an interface, and the device uses the information obtained from the physical interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request.

Views

Interface view

Default command level

2: System level

Parameters

nas-port-id-value: NAS-Port-ID value, a case-sensitive string of 1 to 253 characters. This value is used as the value of the NAS-Port-ID attribute in the RADIUS request to be sent to the RADIUS server when a portal user logs on from an interface.

Usage guidelines

If the device uses a RADIUS server for authentication, authorization, and accounting of portal users, when a portal user logs on from an interface, the device sends a RADIUS request that carries the NAS-Port-ID attribute to the RADIUS server.

Examples

# Specify the NAS-Port-ID value of VLAN-interface 2 as ap1.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal nas-port-id ap1

portal nas-port-type

Use portal nas-port-type to specify the access port type (indicated by the NAS-Port-Type value) on the current interface. The specified NAS-Port-Type value is carried in the RADIUS requests sent from the device to the RADIUS server.

Use undo portal nas-port-type to restore the default.

Syntax

portal nas-port-type { ethernet | wireless }

undo portal nas-port-type

Default

The access port type of an interface is not specified, and the NAS-Port-Type value carried in RADIUS requests is the user access port type obtained by the access device.

Views

Interface view

Default command level

2: System level

Parameters

ethernet: Specifies the access port type as Ethernet, which corresponds to code 15.

wireless: Specifies the access port type as IEEE 802.11 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users, making sure that the NAS-Port-Type value delivered by the access device to the RADIUS server is wireless.

Examples

# Specify the NAS-Port-Type value of VLAN-interface 2 as IEEE 802.11 standard wireless interface.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal nas-port-type wireless

portal grey-rule enable

Use portal grey-rule enable to enable the greylist feature.

User undo portal grey-rule enable to restore the default.

Syntax

portal grey-rule enable

undo portal grey-rule enable

Default

By default, the greylist feature is disabled.

Views

Interface view

Default command level

2: System level

Usage guidelines

When the greylist feature is enabled, the device does not send statistics for user traffic that matches greylist rules to the AAA server for accounting.

Examples

# Enable the greylist feature on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] portal grey-rule enable

portal grey-rule

Use portal grey-rule to configure a greylist rule.

User undo portal grey-rule to delete a greylist rule.

Syntax

portal grey-rule rule-number [ source { ip ip-address [ mask { mask-length | mask } ] | wlan ssid ssid-name [ hotspot hotspot-name ] } * ] destination { domain domain-name | ip ip-address [ mask { mask-length | mask } ] | tcp tcp-port-number | udp udp-port-number } *

undo portal grey-rule rule-number

Default

By default, no greylist rules are configured.

Views

System view

Default command level

2: System level

Parameters

rule-number: Specifies the number of a greylist rule. Support for the option depends on the device model. For more information, see About the H3C Access Controllers Command References.

ip ip-address: Specifies the IP address for the greylist rule.

mask { mask-length | mask }: Specifies the address mask for the greylist rule. The mask-length argument represents subnet mask length, in the range of 0 to 32. The mask argument represents a subnet mask in dotted decimal notation.

wlan ssid ssid-name: Specifies an SSID name, a case-insensitive string of 1 to 32 characters.

hotspot hotspot-name: Specifies a hotspot by its name, a case-insensitive string of 1 to 63 characters.

domain domain-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters. Invalid characters are the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), quotation marks ("), vertical bar (|), and at sign (@).

tcp tcp-port-number: Specifies the TCP port number for the greylist rule, in the range of 0 to 65535.

udp udp-port-number: Specifies the UDP port number for the greylist rule, in the range of 0 to 65535.

Usage guidelines

When the greylist feature is enabled, the device does not send statistics for user traffic that matches greylist rules to the AAA server for accounting.

You can add or delete greylist rules, but you cannot modify greylist rules.

Examples

# Configure greylist rule 10 to disable accounting on user traffic destined for domain name www.xyz.com.

<Sysname> system-view

[Sysname] portal grey-rule 10 destination domain www.xyz.com

portal port

Use portal port to specify the listening UDP port for portal packets on the device.

Use undo portal port to restore the default.

Syntax

portal port listen-port

undo portal port

Default

The listening UDP port is 2000.

Views

System view

Default command level

2: System level

Parameters

listen-port: Specifies a UDP port number in the range of 1 to 65535.

Usage guidelines

In a MAC-BAC environment, the destination port of a portal packet sent by the master AC to the BAS AC must be the listening port configured on the BAS AC. You can use the portal-proxy server port command to configure the destination port of portal packets sent by the master AC.

Examples

# Configure the listening UDP port for portal packets as 30000.

<Sysname> system-view

[Sysname] portal port 30000

Related commands

portal-proxy server port

portal redirect-url

Use portal redirect-url to specify the autoredirection URL for authenticated portal users.

Use undo portal redirect-url to restore the default.

Syntax

portal redirect-url url-string [ wait-time period ]

undo portal redirect-url

Default

An authenticated portal user is redirected to the URL that the user entered in the address bar before portal authentication.

Views

System view

Default command level

2: System level

Parameters

url-string: Specifies the autoredirection URL for authenticated portal users, a string of 1 to 127 characters. It must start with http:// or https:// and must be a fully qualified URL.

period: Specifies the time that the device must wait before redirecting an authenticated portal user to the autoredirection URL. The value range is 1 to 90 seconds, and the default is to 5 seconds.

Usage guidelines

To use this feature, the portal server must be an IMC portal server that supports the page auto-redirection function.

The wait-time period option is effective only on local portal authentication.

Examples

# Configure the device to redirect a portal user to http://www.testpt.cn 3 seconds after the user passes portal authentication.

<Sysname> system-view

[Sysname] portal redirect-url http://www.testpt.cn wait-time 3

portal safe-redirect enable

Use portal safe-redirect enable to portal safe-redirect.

User undo portal safe-redirect enable to restore the default.

Syntax

portal safe-redirect enable

undo portal safe-redirect enable

Default

By default, portal safe-redirect is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable the portal safe-redirect feature.

<Sysname> system-view

[Sysname] portal safe-redirect enable

portal safe-redirect method

Use portal safe-redirect method to specify an HTTP request method permitted by portal safe-redirect.

User undo portal safe-redirect method to restore the default.

Syntax

portal safe-redirect method { get | post }

undo portal safe-redirect method

Default

By default, no HTTP request method permitted by portal safe-redirect is specified. HTTP requests with the GET or POST request method are permitted.

Views

System view

Default command level

2: System level

Parameters

get: Specifies the GET request method.

post: Specifies the POST request method.

Usage guidelines

Before you execute this command, make sure the portal safe-redirect feature is enabled.

Examples

# Specify the GET request method for portal safe-redirect.

<Sysname> system-view

[Sysname] portal safe-redirect enable

[Sysname] portal safe-redirect method get

portal safe-redirect user-agent

Use portal safe-redirect user-agent to specify a browser type for portal safe-redirect.

User undo portal safe-redirect user-agent to delete a browser type for portal safe-redirect.

Syntax

portal safe-redirect user-agent user-agent-string

undo portal safe-redirect user-agent user-agent-string

Views

System view

Default command level

2: System level

Parameters

user-agent-string: Specifies a browser type in HTTP User Agent, a case-sensitive string of 1 to 127 characters. You can specify the browser types as shown in Table 12.

Table 12 Browser type and description

Browser type	Description
Safari	Apple browser
Chrome	Google browser
Firefox	Firefox browser
UC	UC browser
QQBrowser	QQ browser
LBBROWSER	Cheetah browser
TaoBrowser	Taobao browser
Maxthon	Maxthon browser
BIDUBrowser	Baidu browser
MSIE 10.0	Microsoft IE 10.0 browser
MSIE 9.0	Microsoft IE 9.0 browser
MSIE 8.0	Microsoft IE 8.0 browser
MSIE 7.0	Microsoft IE 7.0 browser
MSIE 6.0	Microsoft IE 6.0 browser
MetaSr	Sogou browser

Usage guidelines

Before you execute this command, make sure the portal safe-redirect feature is enabled.

Examples

# Specify browser types Chrome and Safari for portal safe-redirect.

<Sysname> system-view

[Sysname] portal safe-redirect enable

[Sysname] portal safe-redirect user-agent chrome

[Sysname] portal safe-redirect user-agent Safari

portal safe-redirect forbidden-url

Use portal safe-redirect forbidden-url to configure a URL forbidden by portal safe-redirect.

User undo portal safe-redirect forbidden-url to delete a portal safe-redirect forbidden URL.

Syntax

portal safe-redirect forbidden-url user-url-string

undo portal safe-redirect forbidden-url user-url-string

Default

By default, no forbidden URLs are configured. The device can redirect HTTP requests with any URLs.

Views

System view

Default command level

2: System level

Parameters

user-url-string: Specifies a URL forbidden by portal safe-redirect, a case-sensitive string of 1 to 127 characters.

Usage guidelines

Before you execute this command, make sure the portal safe-redirect feature is enabled.

Examples

# Specify 3g.qq.com as a portal safe-redirect forbidden URL.

<Sysname> system-view

[Sysname] portal safe-redirect enable

[Sysname] portal safe-redirect forbidden-url 3g.qq.com

portal server

Use portal server to configure a portal server for Layer 3 portal authentication.

Use undo portal server to remove a portal server, restore the default destination port and default URL address, or delete the shared key or the VPN instance configuration.

Syntax

portal server server-name { ip ipv4-address [ key [ cipher | simple ] key-string | port port-id | server-type { cmcc | imc } | url url-string ] * | ipv6 ipv6-address [ key [ cipher | simple ] key-string | port port-id | server-type { cmcc | imc } | url url-string ] * }

undo portal server server-name [ key | port | server-type | url ]

Default

No portal server is configured for Layer 3 portal authentication.

Views

System view

Default command level

2: System level

Parameters

server-name: Specifies a name for the portal server, a case-sensitive string of 1 to 32 characters.

ip ipv4-address: Specifies the IPv4 address of the portal server. If you specify the local portal server, the IP address specified must be that of a Layer 3 interface on the device and must be reachable from the portal clients. In portal stateful failover environments, however, H3C recommends specifying the virtual IP address of the VRRP group to which the downlink belongs.

ipv6 ipv6-address: Specifies the IPv6 address of the portal server. Support for the option depends on the device model. For more information, see About the H3C Access Controllers Command References.

key: Specifies a shared key for communication with the portal server. Portal packets exchanged between the access device and the portal server carry an authenticator, which is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Sets a ciphertext shared key.

simple: Sets a plaintext shared key.

key-string: Specifies the shared key. This argument is case sensitive. If simple is specified, it must be a string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. If neither simple nor cipher is specified, you set a plaintext shared key.

port port-id: Specifies the destination port number used when the device sends an unsolicited message to the portal server, in the range of 1 to 65534. The default is 50100.

server-type { cmcc | imc }: Specifies the portal server type. The default is imc. Support for this option depends on the device model. For more information, see About the H3C Access Controllers Command References.

· cmcc: CMCC portal server. To use a CMCC portal server, you must also specify a device ID for the device by using the portal device-id command.

· imc: H3C IMC portal server.

url url-string: Specifies the uniform resource locator (URL) to which HTTP packets are to be redirected. The default URL is in the http://ip-address format, where ip-address is the IP address of the portal server. You can also specify the domain name of the portal server, in which case you must use the portal free-rule command to configure the IP address of the DNS server as a portal authentication-free destination IP address.

Usage guidelines

The specified server name and URL string cannot contain any of these characters: question mark (?), angle brackets (<>), backward slash (\), double quotation mark ("), single quotation mark ('), percent sign (%), ampersand (&), and pound sign (#).

If the specified portal server exists and no user is on the interfaces referencing the portal server, using the undo portal server server-name command removes the specified portal server, and if keyword port, server-type, or url is also provided, the command restores the destination port number or URL address to the default.

You can remove the configured portal server or modify its parameters only when the portal server is not referenced by an interface. To remove or modify the settings of a portal server that has been referenced by an interface, you must first remove the portal configuration on the interface by using the undo portal command.

For local portal server configuration, the keywords key, port, server-type, and url are usually not required and, if configured, does not take effect. When using local portal servers for stateful failover in wireless environments, however, the keyword url is required and the address format must be http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm. Which address format is used depends the protocol type (HTTP or HTTPS, configured by the portal local-server command) supported by the local portal servers. The ip-address is the virtual IP address of the VRRP group to which the downlink belongs.

For secrecy, all keys, including keys configured in plain text, are saved in cipher text.

Examples

# Configure portal server pts, setting the IP address to 192.168.0.111, the plaintext key to portal, and the redirection URL to http://192.168.0.111/portal.

<Sysname> system-view

[Sysname] portal server pts ip 192.168.0.111 key simple portal url http://192.168.0.111/portal

Related commands

display portal server

portal server banner

Use portal server banner to configure the welcome banner of the default webpage provided by the local portal server.

Use undo portal server banner to restore the default.

Syntax

portal server banner banner-string

undo portal server banner

Default

No webpage welcome banner is configured.

Views

System view

Default command level

2: System level

Parameters

banner-string: Specifies the welcome banner for the webpage, a case-sensitive string of 1 to 50 characters. It cannot contain the less-than sign (<) or the ampersand (&). If multiple continuous spaces exist in the string, the browser recognizes them as one.

Usage guidelines

The configured welcome banner is applied to only the default authentication pages, rather than the customized authentication pages.

Examples

# Configure the welcome banner of the default webpage provided by the local portal server as Welcome to Portal Authentication.

<Sysname> system-view

[Sysname] portal server banner Welcome to Portal Authentication

portal server include-error-message

Use portal server include-error-message to enable the device to send error codes for authentication failures to the portal server.

User undo portal server include-error-message to restore the default.

Syntax

portal server server-name include-error-message

undo portal server server-name include-error-message

Default

By default, the device does not send authentication failure error codes to the portal server.

Views

System view

Default command level

2: System level

Parameters

server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters.

Examples

# Enable the device to send error codes for authentication failures to the portal server.

<Sysname> system-view

[Sysname] portal server cmcc include-error-message

portal server method

Use portal server method to enable Layer 3 portal authentication on an interface, and specify the portal server and the authentication mode to be used.

Use undo portal to disable the specified portal server or all portal servers on an interface.

Syntax

portal server server-name method { direct | layer3 | redhcp }

undo portal [ server server-name ]

Default

Layer 3 portal authentication is disabled on an interface.

Views

Interface view

Default command level

2: System level

Parameters

server-name: Specifies a portal server by its name, a case-sensitive string of 1 to 32 characters.

method: Specifies the authentication mode to be used.

direct: Specifies the direct authentication.

layer3: Specifies the cross-subnet authentication.

redhcp: Specifies the re-DHCP authentication.

Usage guidelines

The specified portal server must exist.

For the local portal server, the re-DHCP authentication mode can be configured but does not take effect.

IPv6 portal authentication does not support the re-DHCP authentication mode.

You can enable both an IPv4 portal server and an IPv6 portal server for Layer 3 portal authentication on an interface, but you cannot enable two IPv4 or two IPv6 portal servers on the interface.

When both an IPv4 portal server and an IPv6 portal server are enabled for Layer 3 portal authentication on an interface, the device obtains the client IP address by the following rules:

· If the client uses an IPv4 address for authentication, the device can obtain both the IPv4 address and the IPv6 address of the client.

· If the client uses an IPv6 address for authentication, the device can obtain only the IPv6 address of the client.

If you do not specify a portal server in the undo portal command, the command removes all Layer 3 portal authentication configurations on the interface.

On devices that do not support IPv6 portal servers, the server server-name option is not supported in the undo command. For support information about IPv6 portal server on devices, see About the H3C Access Controllers Configuration Guides.

Examples

# Enable Layer 3 portal authentication on interface VLAN-interface 100, referencing portal server pts and setting the authentication mode to direct.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal server pts method direct

Related commands

display portal server

portal server server-detect

Use portal server server-detect to configure portal server detection, including the detection method, action, probe interval, and maximum number of probe attempts. When this function is configured, the device checks the status of the specified server periodically and takes the specified actions when the server status changes.

Use undo portal server server-detect to cancel the detection of the specified portal server.

Syntax

portal server server-name server-detect method { http | portal-heartbeat } * action { log | permit-all | redirect-server server-name | trap } * [ interval interval ] [ retry retries ]

undo portal server server-name server-detect

Default

The portal server detection function is not configured.

Views

System view

Default command level

2: System level

Parameters

server-name: Specifies a portal server by its name, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.

server-detect method { http | portal-heartbeat }: Specifies the portal server detection method. Two detection methods are available:

· http: Probes HTTP connections. In this method, the access device periodically sends TCP connection requests to the HTTP service port of the portal servers enabled on its interfaces. If you can establish the TCP connection with a portal server, the access device considers that the HTTP service of the portal server is open and the portal server is reachable—the detection succeeds. If you cannot establish the TCP connection, the access device considers that the detection fails—the portal server is unreachable. If a portal server does not support the portal server heartbeat function, you can configure the device to use the HTTP probe method to detect the reachability of the portal server.

· portal-heartbeat: Probes portal heartbeat packets. Portal servers periodically send portal heartbeat packets to the access devices. If the access device receives a portal heartbeat packet from a portal server within the specified interval, the access device considers that the probe succeeds and the portal server is reachable. Otherwise, it considers that the probe fails and the portal server is unreachable. This method is effective to only portal servers that support the portal heartbeat function. Currently, only the IMC portal server supports this function. To implement detection with this method, you also need to configure the portal server heartbeat function on the IMC portal server and make sure that the server heartbeat interval configured on the portal server is shorter than or equal to the probe interval configured on the device.

action { log | permit-all | redirect-server server-name | trap }: Specifies the actions to be taken when the status of a portal server changes. The following actions are available:

· log: Specifies the action as sending a log message. When the status (reachable/unreachable) of a portal server changes, the access device sends a log message. The log message contains the portal server name and the current state and original state of the portal server.

· permit-all: Specifies the action as disabling portal authentication—enabling portal authentication bypass. When the device detects that a portal server is unreachable, it disables portal authentication on the interface referencing the portal server, allowing all portal users on this interface to access network resources. When the access device receives the portal server heartbeat packets or authentication packets (such as login requests and logout requests), it re-enables the portal authentication function.

· redirect-server server-name: Specifies the action as redirection. The server-name argument represents a server name, a case-sensitive string of 1 to 32 characters. You must specify an existing server. When the detected portal server is unreachable, the device redirects portal users to the redirection URL of the specified server.

· trap: Specifies the action as sending a trap message. When the status (reachable/unreachable) of a portal server changes, the access device sends a trap message to the network management server (NMS). Trap message contains the portal server name and the current state of the portal server.

interval interval: Specifies the interval at which probe attempts are made, in the range of 20 to 600 seconds. The default interval is 20 seconds.

retry retries: Sets the maximum number of probe attempts, in the range of 1 to 5. The default is 3. If the number of consecutive, failed probes reaches this value, the access device considers that the portal server is unreachable.

Usage guidelines

You can specify one or more detection methods and the actions to be taken.

If both detection methods are specified, a portal server is regarded as unreachable as long as one detection method fails, and an unreachable portal server is regarded as recovered only when both detection methods succeed.

If multiple actions are specified, the system executes all the specified actions when the status of a portal server changes.

Deleting a portal server on the device will delete the detection function for the portal server.

If you configure the detection function for a portal server for multiple times, the last configuration takes effect. If you do not specify an optional parameter, the default setting of the parameter is used.

The portal server detection function takes effect only when the portal server is referenced on an interface.

Authentication-related packets from a portal server, such as logon requests and logoff requests, have the same effect as the portal heartbeat packets for the portal server detection function.

The portal authentication bypass function is not supported on an interface where different portal servers are specified for different SSID-and-AP associations.

Examples

# Configure the device to detect portal server pts:

· Specifying both the HTTP probe and portal heartbeat probe methods

· Setting the probe interval to 600 seconds

· Specifying the device to send a server unreachable trap message, send a log message and disable portal authentication to permit unauthenticated portal users, if two consecutive probes fail.

<Sysname> system-view

[Sysname] portal server pts server-detect method http portal-heartbeat action log permit-all trap interval 600 retry 2

Related commands

display portal server

portal server user-sync

Use portal server user-sync to configure portal user information synchronization with a specific portal server. When this function is configured, the device periodically checks and responds to the user synchronization packet received from the specified portal server, so as to keep the consistency of the online user information on the device and the portal server.

Use undo portal server user-sync to cancel the portal user information synchronization configuration with the specified portal server.

Syntax

portal server server-name user-sync [ interval interval ] [ retry retries ]

undo portal server server-name user-sync

Default

The portal user synchronization function is not configured.

Views

System view

Default command level

2: System level

Parameters

server-name: Specifies a portal server by its name, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.

user-sync: Enables the portal user synchronization function.

interval interval: Specifies the interval at which the device checks the user synchronization packets. The value range for the interval argument is 60 to 3600 seconds, and the default interval is to 300 seconds.

retry retries: Specifies the maximum number of consecutive failed checks. The value range is 1 to 5 and the default is 4. If the access device finds that one of its users does not exist in the user synchronization packets from the portal server within N consecutive probe intervals (N = retries), it considers that the user does not exist on the portal server and logs the user off.

Usage guidelines

The user information synchronization function requires that a portal server supports the portal user heartbeat function (currently only the IMC portal server supports portal user heartbeat). To implement the portal user synchronization function, you also need to configure the user heartbeat function on the portal server and make sure that the user heartbeat interval configured on the portal server is shorter than or equal to the synchronization probe interval configured on the device.

Deleting a portal server on the device will delete the portal user synchronization configuration with the portal server.

If you configure the user synchronization function for a portal server for multiple times, the last configuration takes effect. If you do not specify an optional parameter, the default setting of the parameter is used.

For redundant user information on the device—information of the users considered as nonexistent on the portal server, the device deletes the information during the (N+1)th probe interval, where N equals to the value of retries configured in the portal server user-sync command.

Examples

# Configure the device to synchronize portal user information with portal server pts:

· Setting the synchronization probe interval to 600 seconds

· Specifying the device to log off users if information of the users does not exist in the user synchronization packets sent from the server in two consecutive probe intervals.

<Sysname> system-view

[Sysname] portal server pts user-sync interval 600 retry 2

portal silent

Use portal silent to set the portal silent mode for the specified clients.

Use undo portal silent command to restore the default.

Syntax

portal silent { android | ios user-agent [ user-agent [ reply-file file-name ] ] }

undo portal silent [ android | ios user-agent [ user-agent ] ]

Default

The portal silent mode is not set for any clients.

Views

System view, interface view

Default command level

2: System level

Parameters

android: Specifies the Android clients.

ios: Specifies the iOS clients.

user-agent [ user-agent ]: Specifies an HTTP user agent for unauthenticated portal users using iOS clients. The user-agent argument is the keyword or full name of the user agent. If no user agent is specified, user agent CaptiveNetWorkSupport is used.

reply-file file-name: Specifies an HTML file as the response to HTTP requests from iOS clients. The administrator can customize and upload the HTML file to the root directory of the access device. If no HTML file is specified, the access device responses with the built-in HTML file.

Usage guidelines

The silent mode avoid redirecting a client to the portal authentication page when the client detects networks before a user initiates the portal authentication.

The silent mode functions as follows:

· Before portal authentication, if an Android client sends General 204 HTTP packets, the HTTP packets are dropped and will not trigger portal authentication.

· Before portal authentication, if an iOS client sends HTTP requests that match the user agent specified by user-agent, the access device responds with the page specified by reply-file. The iOS client will not trigger portal authentication. If the HTTP requests do not match the specified user agent, the iOS client is redirected to the portal authentication page.

The portal silent configuration made in interface view takes priority over the configuration made in system view.

Examples

# Configure iOS clients to be in silent mode, and use the file response.html to respond HTTP requests in which the User-Agent field contains CaptiveNetworkSupport.

<Sysname> system-view

[Sysname] portal silent ios user-agent CaptiveNetworkSupport reply-file response.html

portal silent ios optimize

Use portal silent ios optimize to enable the optimized captive-bypass feature for iOS mobile devices.

User undo portal silent ios optimize to restore the default.

Syntax

portal silent ios optimize

undo portal silent ios optimize

Default

By default, the optimized captive-bypass feature is disabled for iOS mobile devices.

Views

System view

Default command level

2: System level

Usage guidelines

The optimized captive-bypass feature applies only to iOS mobile devices. The device automatically pushes the portal authentication page to iOS mobile devices when they are connected to the network. Users can press the home button to return to the desktop without triggering portal authentication, and the Wi-Fi connection is not terminated.

Examples

# Enable the optimized captive-bypass feature for iOS mobile devices.

<Sysname> system-view

[Sysname] portal silent ios optimize

portal url-param des-key

Use portal url-param des-key to configure a DES key for the parameter carried in the redirection URL.

Use undo portal url-param des-key command to restore the default.

Syntax

portal url-param des-key { simple | cipher } key

undo portal url-param des-key

Default

The DES key is 12345678.

Views

System view, interface view

Default command level

2: System level

Parameters

simple: Sets a plaintext shared key.

cipher: Sets a ciphertext shared key.

key: Specifies the shared key. This argument is case sensitive. If simple is specified, it must be a string of 8 characters. If cipher is specified, it must be a ciphertext string of 1 to 41 characters.

Usage guidelines

The DES key specified in interface view takes priority over the DES key specified in system view.

Examples

# Configure the plaintext DES key as test1234 for the parameter carried in the redirection URL.

<Sysname> system-view

[Sysname] portal url-param des-key simple test1234

portal url-param format

Use portal url-param format to configure the MAC address format in the redirection URL.

User undo portal url-param format to cancel the format configuration for the MAC addresses in the redirection URL.

Syntax

portal url-param { user-mac | ap-mac } format { with-2-hyphen | with-5-hyphen | no-hyphen } { lowercase | uppercase }

undo portal url-param { user-mac | ap-mac } format

Default

By default, the user MAC address or AP MAC address in the redirection URL uses the six-section format and uppercase letters.

Views

Interface view

Default command level

2: System level

Parameters

user-mac: Specifies the user MAC address.

ap-mac: Specifies the AP MAC address.

with-2-hyphen: Specifies the three-section format H-H-H.

with-5-hyphen: Specifies the six-section format H-H-H-H-H.

no-hyphen: Specifies the one-section format, which uses no delimiters in the MAC address.

lowercase: Uses lowercase letters in the MAC address.

uppercase: Uses uppercase letters in the MAC address.

Examples

# Configure the user MAC address in the redirection URL to use the one-section format and lowercase letters.

<Sysname> system-view

[Sysname] interface vlan 100

[Sysname-Vlan-interface100] portal url-param user-mac format no-hyphen lowercase

portal url-param include

Use portal url-param include to specify a parameter to be carried in the redirection URL and specify its name.

Use undo portal url include command to cancel the configuration.

Syntax

portal url-param include { nas-id | nas-ip | nas-port-id | { user-mac | ap-mac } [ des-encrypt ] | user-url | user-ip | user-vlan | ac-name | ssid } [ param-name param-name ]

undo portal url-param include { nas-id | nas-ip | nas-port-id| { user-mac | ap-mac } [ des-encrypt ] | user-url | user-ip | user-vlan | ac-name | ssid } [ param-name ]

Default

The parameters carries in the redirection URL varies with the server type:

· The CMCC server supports the user-ip, ac-name, and ssid parameters.

· The IMC server supports only the user-ip parameter.

· The local portal server supports the user-ip, ac-name, and ssid parameters.

Views

System view, interface view

Default command level

2: System level

Parameters

nas-id: Specifies the NAS ID parameter.

nas-ip: Specifies the NAS IP parameter. If the source IP address of portal packets has been specified for the interface by using the portal nas-ip command, the source IP address is carried in the redirection URL. Otherwise, the IP address of the user access interface is carried in the redirection URL.

nas-port-id: Specifies the NAS port ID parameter.

user-mac: Specifies the user MAC parameter. In the redirection URL, the MAC address is a hexadecimal string in the format XX-XX-XX-XX-XX-XX.

ap-mac: Specifies the AP MAC parameter. In the redirection URL, the MAC address is a hexadecimal string in the format XX-XX-XX-XX-XX-XX.

des-encrypt: Specifies DES to encrypt user or AP MAC address in the redirection URL. If you do not specify this keyword, the redirection URL contains the user or AP MAC address in plaintext form.

user-url: Specifies the autoredirection URL parameter, which is configured by the portal redirect-url command. If you do not specify this keyword, the redirection URL carries the autoredirection URL parameter and uses userurl as the parameter name for both the IMC portal server and the local portal server.

user-ip: Specifies the user IP parameter. If you do not specify this keyword, the redirection URL carries the user IP parameter and uses userip and wlanuserip as the parameter name for the IMC server and the CMCC server, respectively.

user-vlan: Specifies the user VLAN parameter.

ac-name: Specifies the AC name parameter, which is configured by the portal device-id command. If you do not specify this keyword, the redirection URL carries the AC name and uses wlanacname as the parameter name for the CMCC server.

ssid: Specifies the SSID parameter. It is the name of the access service for the wireless user. If you do not specify this keyword, the redirection URL for the CMCC server carries the SSID of the wireless network that a wireless user accesses.

param-name para-name: Specifies the included parameter name, a case-sensitive string of 1 to 20 characters, which contains only letters and digits. The included parameter and the specified parameter name is presented in the redirection URL in the format "para-name=param-value."

Usage guidelines

If you configure the device to carry the NAS ID parameter in the redirection URL, the device obtains the NAS ID in the following order:

1. Uses the NAS ID obtained from the WLAN module.

2. Uses the NAS ID configured by using the nas-id-profile command in interface view, which is associated with the user VLAN.

3. Uses the NAS ID configured by using the nas-id command on the interface.

4. Uses the global NAS ID configured by using the portal nas-id command.

After the previous operations, if no NAS ID is found, the redirection URL does not carry the NAS ID.

If you configure the device to carry the NAS port ID in the redirection URL, the device obtains the NAS port ID in the following order:

1. Uses the NAS port ID obtained from the WLAN module.

2. Uses the NAS port ID configured by using the nas-port-id command in interface view.

After the previous operations, if no NAS port ID is found, the redirection URL does not carry the NAS port ID.

Configuration in system view applies to all portal users on all the device interfaces. Configuration in interface view has higher priority than that in system view.

Examples

# Configure URL parameter nas-id carried in the redirection URL, with the parameter name as wlannasid.

<Sysname> system-view

[Sysname] portal url-param include nas-id param-name wlannasid

# Configure the DES-encrypted URL parameter user-mac carried in the redirection URL on VLAN-interface 10, with the parameter name as wlanusermac.

[Sysname] interface Vlan-interface10

[Sysname-Vlan-interface10] portal url-param include user-mac des-encrypt param-name wlanusermac

After the previous configuration, if the NAS ID is test, the redirection URL the device sent to the client 10.1.2.34 is as follows:

http://www.portal.com?wlanacname=0002.0010.100.00&wlanuserip=10.1.2.34&ssid=easy&wlannasid=test&wlanusermac=00-00-22-33-44-55

portal url-param nas-ip

Use portal url-param nas-ip to configure the NAS IP parameter carried in the redirection URL.

Use undo portal url-param nas-ip to restore the default.

Syntax

portal url-param nas-ip ip-address

undo portal url-param nas-ip

Default

The NAS IP parameter in the redirection URL is not configured.

Views

Interface view

Default command level

2: System level

Parameters

ip-address: Specifies the NAS IP parameter, an IPv4 address in format X.X.X.X.

Usage guidelines

This command takes effect only after you configure the redirection URL to carry the NAS IP parameter by using the portal url-param include command.

In a MAC-BAC environment, the NAS IP parameter in the redirection URL sent by the BAS AC to a user must be the IP address of the master AC. When receiving a user HTTP request, the portal server reads the NAS IP carried by the URL to identify the access device and sends portal requests to the access device.

If you do not configure the NAS IP parameter, the NAS-IP in the redirection URL is the IP address configured by using the portal nas-ip command. If the portal nas-ip command is not configured either, the NAS-IP in the redirection URL is the IP address of the user access interface.

Examples

# Configure the NAS IP parameter in the redirection URL as 192.168.0.2.

<Sysname> system-view

[Sysname] portal url-param include nas-ip

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal url-param nas-ip 192.168.0.2

Related commands

· portal url-param include

· portal nas-ip

portal user-address dhcp-alloc-only

Use portal user-address dhcp-alloc-only to allow only users with DHCP-assigned IP addresses to pass portal authentication.

User undo portal user-address dhcp-alloc-only to restore the default.

Syntax

portal user-address dhcp-alloc-only

undo portal user-address dhcp-alloc-only

Default

By default, both users with DHCP-assigned IP addresses and users with static IP addresses can pass portal authentication to come online.

Views

Interface view

Default command level

2: System level

Usage guidelines

When this feature is enabled, users with static IP addresses cannot pass portal authentication to come online.

Examples

# Allow only users with DHCP-assigned IP addresses on VLAN-interface 1 to pass portal authentication.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] portal user-address dhcp-alloc-only

portal user-url free

Use portal user-url to specify the domain name that is to be free of portal authentication.

Use undo portal user-url to delete the specified domain name.

Syntax

portal user-url user-url-string free

undo portal user-url [ user-url-string ]

Default

No domain name is specified to be free of portal authentication.

Views

System view

Default command level

2: System level

Parameters

user-url-string: Specifies a complete URL or a keyword of a domain name, a string of 1 to 127 characters.

free: Disables portal authentication for user access to the server addresses that match the specified domain name.

Usage guidelines

When you use the wildcard (*) to specify a domain name, apply the following formats:

· *abc.com.cn—Represents all domain names that end with the string abc.com.cn.

· abc*—Represents all domain names that begin with the string abc.

· *abc*—Represents all domain names that contain the string abc.

Examples

# Configure domain names containing weixin to be free of portal authentication.

<Sysname> system-view

[Sysname] portal user-url weixin free

portal user-url redirect-url

Use portal user-url to configure a redirection URL for a user-requested URL.

User undo portal user-url to restore the default.

Syntax

portal user-url user-url-string redirect-url redirect-url-string

undo portal user-url

Default

By default, no redirection URLs are configured for user-requested URLs.

Views

System view

Default command level

2: System level

Parameters

user-url-string: Specifies the URL that a user requests, a string of 1 to 127 characters. The specified URL must be a complete URL starting with http://.

redirect-url-string: Specifies the URL to which the user is redirected, a string of 1 to 127 characters. The specified URL must be a complete URL starting with http://.

Usage guidelines

You can specify the URLs of portal authentication pages as the redirection URLs for user-requested URLs. Then, the device can redirect portal users that access different websites to different portal authentication pages.

Examples

# Configure the device to redirect users that visit http://5.5.5.5 to the webpage at http://111.8.0.244:8080/portal.

<Sysname> system-view

[Sysname] portal user-url http://5.5.5.5 redirect-url http://111.8.0.244:8080/portal

portal web-proxy port

Use portal web-proxy port to add the port number of a Web proxy server, so that HTTP requests forwarded by the Web proxy server trigger portal authentication.

Use undo portal web-proxy port to delete one or all Web proxy server port numbers.

Syntax

portal web-proxy port port-number

undo portal web-proxy port { port-number | all }

Default

No Web proxy server port number is configured on the device and proxied HTTP requests cannot trigger portal authentication.

Views

System view

Default command level

2: System level

Parameters

port-number: Specifies the Web proxy server port number in the range of 1 to 65535.

all: Specifies all Web proxy server port numbers.

Usage guidelines

You can add up to four Web proxy server port numbers.

If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover Web proxy servers, you must add the port numbers of the Web proxy servers on the device, and configure portal-free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication.

If the Web proxy server port 80 is added on the device, clients that do not use a proxy server can trigger portal authentication only when they access a reachable host enabled with the HTTP service.

Authorized ACLs to be assigned to the users who have passed portal authentication must contain a rule that permits the Web proxy server's IP address. Otherwise, the user cannot receive heartbeat packets from the remote portal server.

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

Examples

# Add Web proxy server port number 8080 on the device, so that users using a Web proxy server with the port number can be redirected to the portal authentication page.

<Sysname> system-view

[Sysname] portal web-proxy port 8080

portal wlan ssid

Use portal wlan ssid command to associate an SSID and AP name with a portal server, authentication domain, and an autoredirection URL with specific URL parameters carried. The wireless user using the specified SSID and AP uses the specified portal server, authentication domain, and autoredirection URL with specific URL parameters carried for portal authentication.

Use undo portal wlan ssid command to remove the association for the specified SSID and AP name.

Syntax

portal [ ipv6 ] wlan ssid ssid-name [ spot spot-name ] { server server-name [ domain domain-name ] | redirect-url url-value [ wait-time value ] | redirect-url-param { nas-id param-name | nas-ip param-name | user-ip param-name | user-mac param-name [ des-encrypt ] | ap-mac param-name [ des-encrypt ] | ac-name param-name | ssid-name param-name } * } *

undo [ ipv6 ] portal wlan ssid ssid-name [ spot spot-name ]

Default

An SSID and AP name are not associated with any portal server, authentication domain, or autoredirection URL with specific URL parameters carried.

Views

System view

Default command level

2: System level

Parameters

ipv6: Specifies IPv6 users.

ssid ssid-name: Specifies an SSID for wireless user, a case-sensitive string of 1 to 32 characters.

spot spot-name: Specifies an AP name, a case-sensitive string of 1 to 63 characters.

server server-name: Specifies a portal server name, a case-sensitive string of 1 to 32 characters.

domain domain-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters.

redirect-url url-value: Specifies a URL to which an authenticated user is redirected, a case-sensitive string of 1 to 127 characters.

wait-time value: Specifies a wait time before an authenticated user is redirected to the URL, in the range of 1 to 90 seconds.

redirect-url-param: Specifies the parameters to be carried in the URL to which authenticated portal users will be redirected, and the parameter names.

nas-id: Specifies the identifier of the NAS.

nas-ip: Specifies the IP address of the NAS.

user-ip: Specifies the IP address of the user.

user-mac: Specifies the MAC address of the user.

des-encrypt: Specifies DES to encrypt the user or AP MAC address in the redirection URL. If you do not specify this keyword, the redirection URL carries the plaintext user or AP MAC address.

ap-mac: Specifies the name of the AC.

ac-name: Specifies the AC name carried in the redirection URL.

ssid-name: Specifies the SSID of the network.

para-name: Specifies the included parameter name, a case-sensitive string of 1 to 20 characters, which contains only letters and digits. The included parameter and the specified parameter name is presented in the redirection URL in the format "para-name=param-value."

Usage guidelines

The associations take effect when the following conditions are met:

· The specified portal server and authentication domain exist.

· A portal-free rule is configured to ensure that the portal server can receive packets from the device.

When a wireless user accesses an external network, the device looks for the portal server and authentication domain associated with the SSID and AP the user uses. If no match is found, the device uses the portal server enabled on the user connected interface, and the authentication domain configured in system view.

After the wireless user passes authentication, the device looks for the associated URL. If no match is found, the device uses the URL configured by using the portal redirect-url command.

Examples

# Associate SSID service and AP sp1 with portal server pt, authentication domain dm1, and a redirection URL carrying encrypted nas-ip and user-mac parameters.

<Sysname> system-view

[Sysname] portal ipv6 wlan ssid service spot sp1 server pt domain dm1 redirect-url-param nas-ip wlannasip user-mac wlanusermac des-encrypt

After the previous configuration, if the initial URL the user accesses is http://3.3.3.1, the redirection URL the device sent to the user is as follows:

http://3.3.3.1? wlannasip=93.0.27.54&wlanusermac=c57d9d0c1f559e86919f816b3b240c40000d025e2450c0c8

Related command

· domain

· portal free-rule

· portal redirect-url

· portal server

portal wlan ssid-switch

Use portal wlan ssid-switch logoff to enable forced logoff for users who switch SSIDs.

Use undo portal wlan ssid-switch logoff to restore the default.

Syntax

portal wlan ssid-switch logoff

undo portal wlan ssid-switch logoff

Default

Wireless portal users are not logged off after switching SSIDs.

Views

System view

Default command level

2: System level

Parameters

logoff: Enables forced logoff for users who switch SSIDs.

Examples

# Enable forced logoff for users who switch SSIDs.

<Sysname> system-view

[Sysname] portal wlan ssid-switch logoff

reset portal connection statistics

Use reset portal connection statistics to clear portal connection statistics on a specific interface or all interfaces.

Syntax

reset portal connection statistics { all | interface interface-type interface-number }

Views

User view

Default command level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Clear portal connection statistics on interface VLAN-interface 2.

<Sysname> reset portal connection statistics interface vlan-interface 2

reset portal server statistics

Use reset portal server statistics to clear portal server statistics on a specific interface or all interfaces.

Syntax

reset portal server statistics { all | interface interface-type interface-number }

Views

User view

Default command level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Clear portal server statistics on interface VLAN-interface 2.

<Sysname> reset portal server statistics interface vlan-interface 2

reset portal tcp-cheat statistics

Use reset portal tcp-cheat statistics to clear TCP spoofing statistics.

Syntax

reset portal tcp-cheat statistics

Views

User view

Default command level

1: Monitor level

Examples

# Clear TCP spoofing statistics.

<Sysname> reset portal tcp-cheat statistics

web -redirect

Use web-redirect to configure the Web redirect function on an interface.

Use undo web-redirect to restore the default.

Syntax

web-redirect url url-string [ interval interval ]

undo web-redirect

Default

This function is not configured on an interface.

Views

Interface view

Default command level

2: System level

Parameters

url-string: Specifies the URL address to which a Web access request is to be redirected.

interval interval: Specifies the redirection interval in the range of 60 to 86400 seconds. The default is 86400 seconds.

Usage guidelines

You cannot configure both the portal function and the Web redirect function on an interface. If you do so, the function configured later does not take effect.

If you execute this command multiple times, the most recent configuration takes effect.

After you modify the redirection URL address, online users will not be redirected to the new URL until the current redirection interval expires. Users who access Web for the first time after the modification are redirected to the new URL.

Examples

# Configure the Web redirect function on VLAN-interface 100, setting the redirection URL address to http://192.0.0.1 and the interval to 3600 seconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] web-redirect url http://192.0.0.1 interval 3600

07-Security Command Reference

portal safe-redirect user-agent

portal safe-redirect forbidden-url

portal server include-error-message

portal url-param include

portal user-address dhcp-alloc-only

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us