Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-Portal Commands | 240.56 KB |
display portal connection statistics
display portal server statistics
display portal tcp-cheat statistics
reset portal connection statistics
reset portal server statistics
reset portal tcp-cheat statistics
access-user detect
Use access-user detect to configure the online portal user detection function.
Use undo access-user detect to restore the default.
Syntax
access-user detect type arp retransmit number interval interval
undo access-user detect
Default
The portal user detection function is not configured on an interface.
Views
Interface view
Default command level
2: System level
Parameters
type arp: Uses ARP requests as probe packets.
retransmit number: Specifies the maximum number of times the device sends probe packets to a user before it receives a reply from the user. If this number is reached but the device still receives no reply from the portal user, the device considers that the portal user offline and logs out the user. The value for the number argument ranges from 2 to 5.
interval interval: Specifies the interval for sending probe packets, in the range of 5 to 120, in seconds.
Usage guidelines
When this function is configured on an interface, the interface starts a probe timer (3 minutes, not configurable). If the interface has not received packets from a portal user when the probe timer expires, the device sends probe packets (ARP requests) to the portal user. If the device has not received a reply from the portal user when the maximum number of probes is reached, the device logs off the portal user. If the device receives a reply from the portal user before the maximum number of probes is reached, it stops sending probe packets and restarts the probe timer. The device repeats the process to detect whether portal users are online.
This function is available only for the direct and re-DHCP portal authentication configured on a Layer 3 interface.
Examples
# Configure the portal user detection function on VLAN-interface 100, specifying the probe packets as ARP requests, maximum number of probe attempts as 3, and probe interval as 10 seconds.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] access-user detect type arp retransmit 3 interval 10
display portal acl
Use display portal acl to display the ACLs on a specific interface.
Syntax
display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
all: Displays all portal ACLs, including dynamic and static portal ACLs.
dynamic: Displays dynamic portal ACLs—ACLs generated dynamically after a user passes portal authentication.
static: Displays static portal ACLs—ACLs generated through portal related configuration, such as portal-free rule configuration.
interface interface-type interface-number: Displays the ACLs on the specified interface.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display all ACLs on interface VLAN-interface 2.
<Sysname> display portal acl all interface vlan-interface 2
IPv4 portal ACL rules on Vlan-interface2:
Rule 0
Inbound interface : all
Type : static
Action : permit
Protocol : 0
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : any
MAC : 0000-0000-0000
Interface: any
VLAN : 2
Destination:
IP : 192.168.1.15
Mask : 255.255.255.255
Port : any
Rule 1
Inbound interface : all
Type : dynamic
Action : permit
Source:
IP : 8.8.8.8
Mask : 255.255.255.255
MAC : 0015-e9a6-7cfe
Interface: any
VLAN : 2
Protocol : 0
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Author ACL:
Number : 3001
Rule 2
Inbound interface : all
Type : static
Action : redirect
Protocol : 6
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : any
MAC : 0000-0000-0000
Interface: any
VLAN : 2
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : 80
Rule 3
Inbound interface : all
Type : static
Action : deny
Protocol : 0
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : any
MAC : 0000-0000-0000
Interface : any
VLAN : 2
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : any
IPv6 portal ACL rules on Vlan-interface2:
Rule 0
Inbound interface : all
Type : static
Action : permit
Source:
IP : ::
Prefix length : 0
MAC : 0000-0000-0000
Interface : any
VLAN : 8
Protocol : 0
Destination:
IP : 2::2
Prefix length : 128
Port : any
Rule 1
Inbound interface : all
Type : static
Action : redirect
Source:
IP : ::
Prefix length : 0
MAC : 0000-0000-0000
Interface : any
VLAN : 8
Protocol : 6
Destination:
IP : ::
Prefix length : 0
Port : 80
Rule 2
Inbound interface : Vlan-interface2
Type : static
Action : deny
Source:
IP : ::
Prefix length : 0
MAC : 0000-0000-0000
Interface : Vlan-interface2
VLAN : 8
Protocol : 0
Destination:
IP : ::
Prefix length : 0
Port : any
Table 1 Command output
|
Field |
Description |
|
Rule |
Sequence number of the portal ACL, which is numbered from 0 in ascending order. |
|
Inbound interface |
Interface to which the portal ACL is bound. |
|
Type |
Type of the portal ACL. |
|
Action |
Match action in the portal ACL. |
|
Protocol |
Transport layer protocol number in the portal ACL. |
|
Source |
Source information in the portal ACL. |
|
IP |
Source IP address in the portal ACL. |
|
Mask |
Subnet mask of the source IP address in the portal ACL. |
|
Prefix length |
Source IPv6 address prefix in the portal ACL. |
|
Port |
Source transport layer port number in the portal ACL. |
|
MAC |
Source MAC address in the portal ACL. |
|
Interface |
Source interface in the portal ACL. |
|
VLAN |
Source VLAN in the portal ACL. |
|
Protocol |
Protocol type in the portal ACL. |
|
Destination |
Destination information in the portal ACL. |
|
IP |
Destination IP address in the portal ACL. |
|
Port |
Destination transport layer port number in the portal ACL. |
|
Mask |
Subnet mask of the destination IP address in the portal ACL. |
|
Prefix length |
Destination IPv6 address prefix in the portal ACL. |
|
Author ACL |
Authorization ACL information. It is displayed only when the value of the Type field is dynamic. |
|
Number |
Authorization ACL number assigned by the RADIUS server. None indicates that the server did not assign any ACL. |
display portal connection statistics
Use display portal connection statistics to display portal connection statistics on a specific interface or all interfaces.
Syntax
display portal connection statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display portal connection statistics on interface VLAN-interface 2.
<Sysname> display portal connection statistics interface vlan-interface2
---------------Interface: Vlan-interface2-----------------------
User state statistics:
State-Name User-Num
VOID 0
DISCOVERED 0
WAIT_AUTHEN_ACK 0
WAIT_AUTHOR_ACK 0
WAIT_LOGIN_ACK 0
WAIT_ACL_ACK 0
WAIT_NEW_IP 0
WAIT_USERIPCHANGE_ACK 0
ONLINE 1
WAIT_LOGOUT_ACK 0
WAIT_LEAVING_ACK 0
Message statistics:
Msg-Name Total Err Discard
MSG_AUTHEN_ACK 3 0 0
MSG_AUTHOR_ACK 3 0 0
MSG_LOGIN_ACK 3 0 0
MSG_LOGOUT_ACK 2 0 0
MSG_LEAVING_ACK 0 0 0
MSG_CUT_REQ 0 0 0
MSG_AUTH_REQ 3 0 0
MSG_LOGIN_REQ 3 0 0
MSG_LOGOUT_REQ 2 0 0
MSG_LEAVING_REQ 0 0 0
MSG_ARPPKT 0 0 0
MSG_PORT_REMOVE 0 0 0
MSG_VLAN_REMOVE 0 0 0
MSG_IF_REMOVE 6 0 0
MSG_IF_SHUT 0 0 0
MSG_IF_DISPORTAL 0 0 0
MSG_IF_UP 0 0 0
MSG_ACL_RESULT 0 0 0
MSG_AAACUTBKREQ 0 0 0
MSG_CUT_BY_USERINDEX 0 0 0
MSG_CUT_L3IF 0 0 0
MSG_IP_REMOVE 0 0 0
MSG_ALL_REMOVE 1 0 0
MSG_IFIPADDR_CHANGE 0 0 0
MSG_SOCKET_CHANGE 8 0 0
MSG_NOTIFY 0 0 0
MSG_SETPOLICY 0 0 0
MSG_SETPOLICY_RESULT 0 0 0
Table 2 Command output
|
Field |
Description |
|
User state statistics |
Statistics on portal users. |
|
State-Name |
Name of a user state. |
|
User-Num |
Number of users in a specific state. |
|
Message statistics |
Statistics on messages. |
|
Msg-Name |
Message type. |
|
Total |
Total number of messages of a specific type. |
|
Err |
Number of erroneous messages of a specific type. |
|
Discard |
Number of discarded messages of a specific type. |
|
MSG_AUTHEN_ACK |
Authentication acknowledgment message. |
|
MSG_AUTHOR_ACK |
Authorization acknowledgment message. |
|
MSG_LOGIN_ACK |
Accounting acknowledgment message. |
|
MSG_LOGOUT_ACK |
Accounting-stop acknowledgment message. |
|
MSG_LEAVING_ACK |
Leaving acknowledgment message. |
|
MSG_CUT_REQ |
Cut request message. |
|
MSG_AUTH_REQ |
Authentication request message. |
|
MSG_LOGIN_REQ |
Accounting request message. |
|
MSG_LOGOUT_REQ |
Accounting-stop request message. |
|
MSG_LEAVING_REQ |
Leaving request message. |
|
MSG_ARPPKT |
ARP message. |
|
MSG_PORT_REMOVE |
Users-of-a-Layer-2-port-removed message. |
|
MSG_VLAN_REMOVE |
VLAN user removed message. |
|
MSG_IF_REMOVE |
Users-removed message, indicating the users on a Layer 3 interface were removed because the Layer 3 interface was removed. |
|
MSG_IF_SHUT |
Layer 3 interface shutdown message. |
|
MSG_IF_DISPORTAL |
Portal-disabled-on-interface message. |
|
MSG_IF_UP |
Layer 3 interface came up message. |
|
MSG_ACL_RESULT |
ACL deployment failure message. |
|
MSG_AAACUTBKREQ |
Message that AAA uses to notify portal to delete backup user information. |
|
MSG_CUT_BY_USERINDEX |
Force-user-offline message. |
|
MSG_CUT_L3IF |
Users-removed message, indicating the users on a Layer 3 interface were removed because they were logged out. |
|
MSG_IP_REMOVE |
User-with-an-IP-removed message. |
|
MSG_ALL_REMOVE |
All-users-removed message. |
|
MSG_IFIPADDR_CHANGE |
Interface IP address change message. |
|
MSG_SOCKET_CHANGE |
Socket change message. |
|
MSG_NOTIFY |
Notification message. |
|
MSG_SETPOLICY |
Set policy message for assigning security ACL. |
|
MSG_SETPOLICY_RESULT |
Set policy response message. |
display portal free-rule
Use display portal free-rule to display information about a specific portal-free rule or all portal-free rules.
Syntax
display portal free-rule [ rule-number ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
rule-number: Specifies the number of a portal-free rule. The value range is 0 to 511.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about portal-free rule 1.
<Sysname> display portal free-rule 1
Rule-Number 1:
Source:
IP : 2.2.2.0
Mask : 255.255.255.0
Port : any
MAC : 0000-0000-0000
Interface : any
Vlan : 0
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : any
Protocol : 6
Rule-Number 2:
Source:
IP : 1::2
Prefix length : 128
MAC : 0000-0000-0000
Interface : any
Vlan : 0
Destination:
IP : 1::
Prefix length : 64
Table 3 Command output
|
Field |
Description |
|
Rule-Number |
Number of the portal-free rule. |
|
Source |
Source information in the portal-free rule. |
|
IP |
Source IP address in the portal-free rule. |
|
Mask |
Subnet mask of the source IP address in the portal-free rule. |
|
Prefix length |
Source IPv6 address prefix in the portal-free rule. |
|
Port |
Source transport layer port number in the portal-free rule. |
|
MAC |
Source MAC address in the portal-free rule. |
|
Interface |
Source interface in the portal-free rule. |
|
Vlan |
Source VLAN in the portal-free rule. |
|
Destination |
Destination information in the portal-free rule. |
|
IP |
Destination IP address in the portal-free rule. |
|
Mask |
Subnet mask of the destination IP address in the portal-free rule. |
|
Prefix length |
Destination IPv6 address prefix in the portal-free rule. |
|
Port |
Destination transport layer port number in the portal-free rule. |
|
Protocol |
Transport layer protocol number in the portal-free rule. |
portal free-rule
display portal interface
Use display portal interface to display the portal configuration of an interface.
Syntax
display portal interface interface-type interface-number [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
interface-type interface-number: Specifies an interface by its type and number.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the portal configuration for interface VLAN-interface 2.
<Sysname> display portal interface vlan-interface 2
Portal configuration of Vlan-interface2
IPv4:
Status: Portal running
Portal server: servername
Portal backup-group: 1
Authentication type: Layer3
Authentication domain: my-domain
Authentication network:
Source IP: 1.1.1.1 Mask : 255.255.0.0
Portal configuration of Vlan-interface2
IPv6:
Status: Portal running
Portal server: v6pt
Portal backup-group: None
Authentication type: Direct
Authentication domain:
Authentication network:
Source IP: 4::4 Prefix length: 128
Table 4 Command output
|
Field |
Description |
|
Portal configuration of interface |
Portal configuration on the interface. |
|
IPv4 |
IPv4 portal configuration. |
|
IPv6 |
IPv6 portal configuration. |
|
Status |
Status of the portal authentication on the interface: · Portal disabled—Portal authentication is disabled. · Portal enabled—Portal authentication is enabled but is not functioning. · Portal running—Portal authentication is functioning. |
|
Portal server |
Portal server referenced by the interface. |
|
Portal backup-group |
ID number of the portal group to which the interface belongs. If the interface does not belong to any portal group, None is displayed. |
|
Authentication type |
Authentication mode enabled on the interface. |
|
Authentication domain |
Mandatory authentication domain of the interface. |
|
Authentication network |
Information of the portal authentication source subnet and destination subnet. |
|
Source IP |
IP address of the portal authentication source subnet. |
|
Destination IP |
IP address of the portal authentication destination subnet. |
|
Mask |
Subnet mask of the IP address of the portal authentication subnet. |
|
Prefix length |
Prefix length of the IPv6 address of the portal authentication subnet. |
display portal server
Use display portal server to display information about a specific portal server or all portal servers.
Syntax
display portal server [ server-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about portal server aaa.
<Sysname> display portal server aaa
Portal server:
1)aaa:
IP : 192.168.0.111
Port : 50100
Key : ******
URL : http://192.168.0.111
Server Type : iMC
Status : Up
Table 5 Command output
|
Field |
Description |
|
1) |
Number of the portal server. |
|
aaa |
Name of the portal server. |
|
IP |
IP address of the portal server. |
|
Port |
Listening port on the portal server. |
|
Key |
Shared key for exchanges between the access device and portal server. · ****** is displayed if a key is configured. · Not configured is displayed if no key is configured. |
|
URL |
Address the packets are to be redirected to. Not configured is displayed if no address is configured. |
|
Server Type |
Type of the portal server. Possible values include: · CMCC—CMCC portal server. · iMC—H3C IMC portal server or H3C CAMS portal server. |
|
Status |
Current status of the portal server. Possible values include: · N/A—The server is not referenced on any interface, or the server detection function is not enabled. The reachability of the portal server is unknown. · Up—The portal server is referenced on an interface and the portal server detection function is enabled, and the portal server is reachable. · Down—The portal server is referenced on an interface and the portal server detection function is enabled, but the portal server is unreachable. This field is not displayed for IPv6 portal servers, because IPv6 portal servers do not support the portal server detection function. |
portal server
display portal server statistics
Use display portal server statistics to display portal server statistics on a specific interface or all interfaces.
Syntax
display portal server statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and name.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
When the all keyword is specified, the command displays portal server statistics by interface and therefore statistics about a portal server referenced by more than one interface may be displayed repeatedly.
Examples
# Display portal server statistics on VLAN-interface 2.
<Sysname> display portal server statistics interface vlan-interface2
---------------Interface: vlan-interface2----------------------
Server name: st
Invalid packets: 0
Pkt-Name Total Discard Checkerr
REQ_CHALLENGE 3 0 0
ACK_CHALLENGE 3 0 0
REQ_AUTH 3 0 0
ACK_AUTH 3 0 0
REQ_LOGOUT 1 0 0
ACK_LOGOUT 1 0 0
AFF_ACK_AUTH 3 0 0
NTF_LOGOUT 1 0 0
REQ_INFO 6 0 0
ACK_INFO 6 0 0
NTF_USERDISCOVER 0 0 0
NTF_USERIPCHANGE 0 0 0
AFF_NTF_USERIPCHANGE 0 0 0
ACK_NTF_LOGOUT 1 0 0
NTF_HEARTBEAT 0 0 0
NTF_USERSYNC 2 0 0
ACK_NTF_USERSYNC 0 0 0
NTF_CHALLENGE 0 0 0
NTF_USER_NOTIFY 0 0 0
AFF_NTF_USER_NOTIFY 0 0 0
NTF_AUTH 0 0 0
ACK_NTF_AUTH 0 0 0
REQ_QUERY_STATE 0 0 0
ACK_QUERY_STATE 0 0 0
REQ_MACBINDING_INFO 0 0 0
ACK_MACBINDING_INFO 0 0 0
NTF_USER_LOGON 0 0 0
RESERVED33 0 0 0
NTF_USER_LOGOUT 0 0 0
RESERVED35 0 0 0
PT_TYPE_REQ_USER_OFFLINE 0 0 0
Table 6 Command output
|
Field |
Description |
|
Interface |
Interface referencing the portal server. |
|
Server name |
Name of the portal server. |
|
Invalid packets |
Number of invalid packets. |
|
Pkt-Name |
Packet type. |
|
Total |
Total number of packets. |
|
Discard |
Number of discarded packets. |
|
Checkerr |
Number of erroneous packets. |
|
REQ_CHALLENGE |
Challenge request message the portal server sent to the access device. |
|
ACK_CHALLENGE |
Challenge acknowledgment message the access device sent to the portal server. |
|
REQ_AUTH |
Authentication request message the portal server sent to the access device. |
|
ACK_AUTH |
Authentication acknowledgment message the access device sent to the portal server. |
|
REQ_LOGOUT |
Logout request message the portal server sent to the access device. |
|
ACK_LOGOUT |
Logout acknowledgment message the access device sent to the portal server. |
|
AFF_ACK_AUTH |
Affirmation message the portal server sent to the access device after receiving an authentication acknowledgement message. |
|
NTF_LOGOUT |
Forced logout notification message the access device sent to the portal server. |
|
REQ_INFO |
Information request message. |
|
ACK_INFO |
Information acknowledgment message. |
|
NTF_USERDISCOVER |
User discovery notification message the portal server sent to the access device. |
|
NTF_USERIPCHANGE |
User IP change notification message the access device sent to the portal server. |
|
AFF_NTF_USERIPCHANGE |
User IP change success notification message the portal server sent to the access device. |
|
ACK_NTF_LOGOUT |
Forced logout acknowledgment message from the portal server. |
|
NTF_HEARTBEAT |
Portal heartbeat message the portal server sent to the access device. |
|
NTF_USERSYNC |
User synchronization packet the access device received from the portal server. |
|
ACK_NTF_USERSYNC |
User synchronization acknowledgment packet the access device sent to the portal server. |
|
NTF_CHALLENGE |
Challenge request the access device sent to the portal server. |
|
NTF_USER_NOTIFY |
User information notification message the access device sent to the portal server. |
|
AFF_NTF_USER_NOTIFY |
NTF_USER_NOTIFY acknowledgment message the access device sent to the portal server. |
|
NTF_AUTH |
Forced authentication notification message the portal server sent to the access device. |
|
ACK_NTF_AUTH |
NTF_AUTH acknowledgment message the access device sent to the portal server. |
|
REQ_QUERY_STATE |
User online state query message the portal server sent to the access device. |
|
ACK_QUERY_STATE |
User online state acknowledgment message the access device sent to the portal server. |
|
REQ_MACBINDING_INFO |
MAC binding query the access device sent to the MAC binding server. |
|
ACK_MACBINDING_INFO |
MAC binding query acknowledgment the MAC binding server sent to the access device. |
|
NTF_USER_LOGON |
User login notification message the access device sent to the MAC binding server. |
|
RESERVED33 |
Reserved. |
|
NTF_USER_LOGOUT |
User logoff notification message the access device sent to the MAC binding server. |
|
RESERVED35 |
Reserved. |
|
PT_TYPE_REQ_USER_OFFLINE |
Forced user offline request the MAC binding server sent to the access device. |
display portal tcp-cheat statistics
Use display portal tcp-cheat statistics to display TCP spoofing statistics.
Syntax
display portal tcp-cheat statistics [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display TCP spoofing statistics.
<Sysname> display portal tcp-cheat statistics
TCP Cheat Statistic:
Total Opens: 0
Resets Connections: 0
Current Opens: 0
Packets Received: 0
Packets Sent: 0
Packets Retransmitted: 0
Packets Dropped: 0
HTTP Packets Sent: 0
Connection State:
SYN_RECVD: 0
ESTABLISHED: 0
CLOSE_WAIT: 0
LAST_ACK: 0
FIN_WAIT_1: 0
FIN_WAIT_2: 0
CLOSING: 0
Table 7 Command output
|
Field |
Description |
|
TCP Cheat Statistic |
TCP spoofing statistics. |
|
Total Opens |
Total number of opened connections. |
|
Resets Connections |
Number of connections reset through RST packets. |
|
Current Opens |
Number of connections being set up. |
|
Packets Received |
Number of received packets. |
|
Packets Sent |
Number of sent packets. |
|
Packets Retransmitted |
Number of retransmitted packets. |
|
Packets Dropped |
Number of dropped packets. |
|
HTTP Packets Sent |
Number of HTTP packets sent. |
|
Connection State |
Statistics of connections in various states. |
|
ESTABLISHED |
Number of connections in ESTABLISHED state. |
|
CLOSE_WAIT |
Number of connections in CLOSE_WAIT state. |
|
LAST_ACK |
Number of connections in LAST-ACK state. |
|
FIN_WAIT_1 |
Number of connections in FIN_WAIT_1 state. |
|
FIN_WAIT_2 |
Number of connections in FIN_WAIT_2 state. |
|
CLOSING |
Number of connections in CLOSING state. |
display portal user
Use display portal user to display information about portal users on a specific interface or all interfaces.
Syntax
display portal user { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and name.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about portal users on all interfaces.
<Sysname> display portal user all
Index:2
State:ONLINE
SubState:NONE
ACL:NONE
Work-mode:Stand-alone
MAC IP Vlan Interface
---------------------------------------------------------------------
000d-88f8-0eab 2.2.2.2 0 vlan-interface2
Index:3
State:ONLINE
SubState:NONE
ACL:3000
Work-mode:Primary
MAC IP Vlan Interface
---------------------------------------------------------------------
000d-88f8-0eac 3.3.3.3 0 vlan-interface2
Total 2 user(s) matched, 2 listed.
Table 8 Command output
|
Field |
Description |
|
Index |
Index of the portal user. |
|
State |
Current status of the portal user. |
|
SubState |
Current sub-status of the portal user. |
|
ACL |
Authorization ACL of the portal user. |
|
Work-mode |
User's working mode: · Primary. · Secondary. · Stand-alone. |
|
MAC |
MAC address of the portal user. |
|
IP |
IP address of the portal user. |
|
Vlan |
VLAN to which the portal user belongs. |
|
Interface |
Interface to which the portal user is attached. |
|
Total 2 user(s) matched, 2 listed |
Total number of portal users. |
display web-redirect user
Use display web-redirect user to display information about Web redirect users.
Syntax
display web-redirect user
Views
Any view
Default command level
1: Monitoring level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about Web redirect users.
<Sysname> display web-redirect user
Total users: 14
IP Status Aging Interface
18.18.0.2 authorized 85872 Vlan-interface2
18.18.1.26 authorized 86396 Vlan-interface2
18.18.1.27 authorized 86396 Vlan-interface2
18.18.1.28 authorized 86396 Vlan-interface2
18.18.1.29 authorized 86396 Vlan-interface2
18.18.1.30 authorized 86396 Vlan-interface2
18.18.0.95 authorized 86396 Vlan-interface2
18.18.0.96 authorized 86396 Vlan-interface6
18.18.0.97 authorized 86396 Vlan-interface6
18.18.0.98 authorized 86396 Vlan-interface6
18.18.0.99 authorized 86396 Vlan-interface6
18.18.0.100 authorized 86396 Vlan-interface6
18.18.0.101 unauthorized 86396 Vlan-interface6
Table 9 Command output
|
Field |
Description |
|
IP |
IP address of the Web redirect user. |
|
Status |
Authorization status of the Web redirect user: · authorized—The user is authorized to access the network. · unauthorized—The user is not authorized to access the network. When attempting to access the network, the user will be redirected to the URL specified by the web-redirect url command. |
|
Aging |
Aging time of the Web redirect user entry, in seconds. |
|
Interface |
Interface to which the Web redirect user is connected. |
portal auth-network
Use portal auth-network to configure a portal authentication source subnet on an interface.
Use undo portal auth-network to remove a specific portal authentication source subnet or all portal authentication subnets.
Syntax
portal auth-network { ipv4-network-address { mask-length | mask } | ipv6 ipv6-network-address prefix-length }
undo portal auth-network { ipv4-network-address | all | ipv6 ipv6-network-address }
Default
The portal authentication source IPv4 subnet is 0.0.0.0/0 and source IPv6 subnet is ::/0, meaning that users in all subnets must pass portal authentication.
Views
Interface view
Default command level
2: System level
Parameters
ipv4-network-address: IPv4 address of the authentication source subnet.
mask-length: Length of the subnet mask, in the range of 0 to 32.
mask: Subnet mask, in dotted decimal notation.
ipv6 ipv6-network-address: IPv6 address of the authentication source subnet.
prefix-length: IPv6 address prefix length, in the range of 0 to 128.
all: Specifies all authentication source subnets.
Usage guidelines
You can use this command to configure multiple portal authentication source subnets on an interface. Then, only HTTP packets from the subnets can trigger portal authentication on the interface. If an unauthenticated user is not on any authentication source subnet, the access device discards all the user's HTTP packets that do not match any portal-free rule.
This command is only applicable for cross-subnet authentication (layer3). The portal authentication source subnet for direct authentication (direct) can be any source IP address, and the portal authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP address of the interface connecting the users.
You can configure multiple authentication source subnets by executing the portal auth-network command repeatedly.
If both an authentication source subnet and destination subnet are configured on an interface, only the authentication destination subnet takes effect.
Examples
# Configure a portal authentication source subnet of 10.10.10.0/24 on interface VLAN-interface 2 to allow users from subnet 10.10.10.0/24 to trigger portal authentication.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname–Vlan-interface2] portal auth-network 10.10.10.0 24
portal delete-user
Use portal delete-user to log off portal users.
Syntax
portal delete-user { ipv4-address | all | interface interface-type interface-number | ipv6 ipv6-address }
Views
System view
Default command level
2: System level
Parameters
ipv4-address: Logs off the portal user with the specified IPv4 address.
all: Logs off all portal users.
interface interface-type interface-number: Logs off all IPv4 and IPv6 portal users on the specified interface.
ipv6 ipv6-address: Logs off the portal user with the specified IPv6 address.
Examples
# Log out the portal user whose IP address is 1.1.1.1.
<Sysname> system-view
[Sysname] portal delete-user 1.1.1.1
display portal user
portal device-id
Use portal device-id to specify the device ID.
Use undo portal device-id to restore the default.
Syntax
portal device-id id-value
undo portal device-id
Default
A device is not configured with a device ID.
Views
System view
Default command level
2: System level
Parameters
id-value: Device ID of the device, a case-sensitive string of 1 to 16 characters. This value is used as the value of the device ID parameter carried in the redirection URL to be sent to the clients.
Usage guidelines
If the type of the portal server specified for Layer 3 portal authentication is CMCC, you must specify the device ID.
Examples
# Set the device's device ID to 0002.0010.100.00.
<Sysname> system-view
[Sysname] portal device-id 0002.0010.100.00
After this configuration, the redirection URL sent from the device to client 10.1.2.34 is:
http://www.portal.com?wlanuserip=10.1.2.34&wlanacname=0002.0010.100.00
Related commands
portal server
portal domain
Use portal domain to specify an authentication domain for portal users on an interface.
Use undo portal domain to delete the authentication domain specified for portal users.
Syntax
portal domain [ ipv6 ] domain-name
undo portal domain [ ipv6 ]
Default
No authentication domain is specified for portal users on an interface.
Views
Interface view
Default command level
2: System level
Parameters
ipv6: Specifies IPv6 portal users. If you do not specify the ipv6 keyword, the command is for IPv4 portal users.
domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters. The domain specified by this argument must already exist.
Usage guidelines
After you configure this command, the device uses the authentication domain for authentication, authorization and accounting (AAA) of the portal users on the interface.
Examples
# Configure the authentication domain for IPv4 portal users on VLAN-interface 100 as my-domain.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal domain my-domain
Related commands
display portal interface
portal free-rule
Use portal free-rule to configure a portal-free rule and specify the source filtering condition, destination filtering condition, or both.
Use undo portal free-rule to remove a specific portal-free rule or all portal-free rules.
Syntax
portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | ipv6 { ipv6-address prefix-length | any } } | source { any | [ interface interface-type interface-number | ip { ip-address mask { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | ipv6 { ipv6-address prefix-length | any } | mac mac-address | vlan vlan-id ] * } } *
undo portal free-rule { rule-number | all }
Views
System view
Default command level
2: System level
Parameters
rule-number: Number for the portal-free rule. The value range is 0 to 511.
any: Imposes no limitation on the previous keyword.
ip ip-address: Specifies an IP address for the portal-free rule.
mask { mask-length | mask }: Specifies a mask or mask length for the IP address. The mask argument is a subnet mask in dotted decimal notation. The mask-length argument is a subnet mask length, an integer in the range of 0 to 32.
ipv6 ipv6-address: Specifies an IPv6 address for the portal-free rule.
prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.
tcp tcp-port-number: Specifies a TCP port number, in the range of 0 to 65535.
udp udp-port-number: Specifies a UDP port number, in the range of 0 to 65535.
interface interface-type interface-number: Specifies a source interface.
mac mac-address: Specifies a source MAC address in the format H-H-H.
vlan vlan-id: Specifies a source VLAN ID.
all: Specifies all portal-free rules.
Usage guidelines
If you specify both a source IPv4 address and a source MAC address in a portal-free rule, the IP address must be a host address with a 32-bit mask. Otherwise, the specified MAC address does not take effect.
If you specify both a source IPv6 address and a source MAC address in a portal-free rule, the IPv6 address must be a host address with a 128-bit prefix. Otherwise, the specified MAC address does not take effect.
If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. Otherwise, the rule does not take effect.
If you specify both a source port number and a destination port number for a portal-free rule, the source and destination port numbers must belong to the same transport layer protocol.
You cannot configure a portal-free rule to have the same filtering criteria as that of an existing one. When attempted, the system prompts that the rule already exists.
No matter whether portal authentication is enabled on an interface, you can only add or remove a portal-free rule, rather than modifying it.
Examples
# Configure a portal-free rule, allowing any packet whose source IP address is 10.10.10.1/24 and source interface is GigabitEthernet 1/0/1 to bypass portal authentication.
<Sysname> system-view
[Sysname] portal free-rule 15 source ip 10.10.10.1 mask 24 interface gigabitethernet 1/0/1 destination ip any
Related commands
display portal free-rule
portal host-check
Use portal host-check to enable host identity check through DHCP snooping entries or WLAN binding entries. Only hosts whose information exists in these entries are valid for portal authentication.
Use undo portal host-check to disable host identity check through DHCP snooping entries or WLAN binding entries.
Syntax
portal host-check { dhcp-snooping | wlan }
undo portal host-check { dhcp-snooping | wlan }
Default
By default, the device performs host identity check through ARP entries.
Views
System view
Default command level
2: System level
Parameters
dhcp-snooping: Specifies DHCP snooping entries for host identity check.
wlan: Specifies WLAN binding entries for host identity check.
Usage guidelines
To view information about WLAN binding entries, execute the display wlan client source binding command.
Examples
# Enable host identity check through WLAN snooping entries.
<Sysname> system-view
[Sysname] portal host-check wlan
portal mac-trigger enable
Use portal mac-trigger enable to enable MAC-based quick portal authentication (also referred to as MAC-triggered authentication) on an interface.
Use undo portal mac-trigger enable to restore the default.
Syntax
portal mac-trigger enable [ period period-value ] [ threshold threshold-value ]
undo portal mac-trigger enable
Default
MAC-triggered authentication is disabled.
Views
Interface view
Default command level
2: System level
Parameters
period period-value: Specifies the interval at which the access device collects statistics for user traffic. The period-value argument ranges from 60 to 7200 and defaults to 300, in seconds.
threshold threshold-value: Specifies the traffic threshold that triggers MAC-based quick portal authentication. The threshold-value argument ranges from 0 to 10240000 and defaults to 0, in bytes. A value of 0 means that the device performs MAC-based quick portal authentication for a portal user as long as the user accesses the network, and only allows the traffic that is permitted by portal-free rules before the user passes the authentication. A bigger threshold means that more traffic is allowed before authentication. Set a proper threshold as needed.
Usage guidelines
The access device checks portal user traffic in real time. In one statistical interval, a user can access the external network before the user's traffic reaches the threshold. When the user's traffic reaches the threshold, the device triggers MAC-based quick portal authentication for the user. If the user passes the authentication, the user can continue accessing the network, the statistics are cleared, and a new statistical interval starts. If the user fails the authentication, the user cannot access the network in the current interval, the statistics are cleared when the interval expires, and the previous process repeats.
To enable MAC-triggered authentication, you must compete the following tasks:
· Complete basic Layer 3 portal authentication configuration.
· Specify the IP address and port number of a MAC binding server.
· Enable MAC-triggered authentication on the interface enabled with Layer 3 portal authentication.
· Use portal server to specify the MAC binding server's IP address as the portal server's IP address, and specify any name for the portal server. You do not need to specify other parameters in the portal server command.
Examples
# Enable MAC-triggered authentication on interface VLAN-interface 2, specify the traffic inspection interval as 300 seconds, and specify the traffic threshold as 10240 bytes.
<Sysname> system-view
[Sysname] interface vlan-interface2
[Sysname-Vlan-interface2] portal mac-trigger enable period 300 threshold 10240
· portal mac-trigger server
· portal server method
· portal server
portal mac-trigger server
Use portal mac-trigger server to specify a MAC binding server.
Use undo portal mac-trigger server to restore the default.
Syntax
portal mac-trigger server ip ip-address [ port port-number ]
undo portal mac-trigger server
Default
No MAC binding server is specified.
Views
System view
Default command level
2: System level
Parameters
ip ip-address: Specifies the IPv4 address of a MAC binding server.
port port-number: Specifies the UDP port number that the MAC binding server uses to listen to the MAC binding requests from the access device. The port-number argument ranges from 1 to 65534 and defaults to 50100.
Usage guidelines
A MAC binding server records MAC-to-account information for portal users. When the MAC binding server receives a MAC binding query from the access device, it checks whether the MAC address has been bound with a portal user account. If it has been bound with a portal user account, the MAC binding server obtains the user's account information, and sends the user's username and password to the access device to initiate portal authentication.
Examples
# Specify the MAC binding server whose IP address is 2.2.2.2 and port number is 50111.
<Sysname> system-view
[Sysname] portal mac-trigger server ip 2.2.2.2 port 50111
Related commands
portal mac-trigger enable
portal max-user
Use portal max-user to set the maximum number of online portal users allowed in the system.
Use undo portal max-user to restore the default.
Syntax
portal max-user max-number
undo portal max-user
Default
The maximum number of portal users allowed is 5000.
Views
System view
Default command level
2: System level
Parameters
max-number: Maximum number of online portal users allowed in the system. The value range is 1 to 5000.
Usage guidelines
If the maximum number of portal users specified in the command is less than that of the current online portal users, the command can be executed successfully and does not impact the online portal users, but the system does not allow new portal users to log in until the number drops down below the limit.
Examples
# Set the maximum number of portal users allowed in the system to 100.
<Sysname> system-view
[Sysname] portal max-user 100
portal nas-id
Use portal nas-id to specify the NAS ID value carried in a RADIUS request.
Use undo portal nas-id to restore the default.
Syntax
portal nas-id nas-identifier
undo portal nas-id
Default
The device name specified through the sysname command is used as the NAS ID of a RADIUS request. For information about the sysname command, see Fundamentals Command Reference.
Views
Interface view, system view
Default command level
2: System level
Parameters
nas-identifier: NAS ID, a case-sensitive string of 1 to 20 characters. This value is used as the value of the NAS-Identifier attribute in the RADIUS request to be sent to the RADIUS server when a portal user logs on from an interface.
Usage guidelines
You can specify the NAS-identifier attribute value to be carried in a RADIUS request in system view or interface view. The device prefers the value specified in interface view. If no NAS ID is configured for the interface, the device uses the NAS ID configured in system view.
Examples
# Specify the NAS ID of a RADIUS request to be sent on VLAN-interface 2 as 0002053110000460.
<Sysname> system-view
[Sysname] interface vlan-interface2
[Sysname-Vlan-interface2] portal nas-id 0002053110000460
portal nas-id-profile
Use portal nas-id-profile to specify a NAS ID profile for the interface.
Use undo portal nas-id-profile to cancel the configuration.
Syntax
portal nas-id-profile profile-name
undo portal nas-id-profile
Default
An interface is not specified with any NAS ID profile.
Views
Interface view
Default command level
2: System level
Parameters
profile-name: Name of the profile that defines the binding relationship between VLANs and NAS IDs, a case-insensitive string of 1 to 16 characters. The profile can be configured by using the aaa nas-id profile command.
Usage guidelines
If an interface is specified with a NAS ID profile, the interface prefers to use the binding defined in the profile. If no NAS ID profile is specified for an interface or no matching binding is found in the specified profile:
· If a NAS ID is configured using the portal nas-id command, the device uses the configured NAS ID as that of the interface.
· If the interface does not support NAS ID configuration or has no NAS ID configured, the device uses the device name as the interface NAS ID.
Examples
# Specify NAS ID profile aaa for VLAN-interface 2.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] portal nas-id-profile aaa
portal nas-ip
Use portal nas-ip to configure an interface to use a specific source IP address for outgoing portal packets.
Use undo portal nas-ip to delete the specified source IP address. If you do not specify the ipv6 keyword, this command deletes the specified source IPv4 address.
Syntax
portal nas-ip { ipv4-address | ipv6 ipv6-address }
undo portal nas-ip [ ipv6 ]
Default
No source IP address is specified for outgoing portal packets on an interface, and the interface uses the IP address of the user access interface as the source IP address for outgoing portal packets.
Views
Interface view
Default command level
2: System level
Parameters
ipv4-address: Specifies a source IPv4 address for outgoing portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies a source IPv6 address for outgoing portal packets. This IPv6 address must be a local IPv6 address, but cannot be a multicast address, an all 0 address, or a link-local address.
Examples
# Configure interface VLAN-interface 5 to use 2.2.2.2 as the source IPv4 address for outgoing portal packets.
<Sysname> system-view
[Sysname] interface vlan-interface 5
[Sysname-Vlan-interface5] portal nas-ip 2.2.2.2
portal nas-port-id
Use portal nas-port-id to specify the NAS-Port-ID value carried in a RADIUS request.
Use undo portal nas-port-id to restore the default.
Syntax
portal nas-port-id nas-port-id-value
undo portal nas-port-id
Default
No NAS-Port-ID value is specified for an interface, and the device uses the information obtained from the physical interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request.
Views
Interface view
Default command level
2: System level
Parameters
nas-port-id-value: NAS-Port-ID value, a case-sensitive string of 1 to 253 characters. This value is used as the value of the NAS-Port-ID attribute in the RADIUS request to be sent to the RADIUS server when a portal user logs on from an interface.
Usage guidelines
If the device uses a RADIUS server for authentication, authorization, and accounting of portal users, when a portal user logs on from an interface, the device sends a RADIUS request that carries the NAS-Port-ID attribute to the RADIUS server.
Examples
# Specify the NAS-Port-ID value of VLAN-interface 2 as ap1.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] portal nas-port-id ap1
portal nas-port-type
Use portal nas-port-type to specify the access port type (indicated by the NAS-Port-Type value) on the current interface. The specified NAS-Port-Type value is carried in the RADIUS requests sent from the device to the RADIUS server.
Use undo portal nas-port-type to restore the default.
Syntax
portal nas-port-type { ethernet | wireless }
undo portal nas-port-type
Default
The access port type of an interface is not specified, and the NAS-Port-Type value carried in RADIUS requests is the user access port type obtained by the access device.
Views
Interface view
Default command level
2: System level
Parameters
ethernet: Specifies the access port type as Ethernet, which corresponds to code 15.
wireless: Specifies the access port type as IEEE 802.11 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users, making sure that the NAS-Port-Type value delivered by the access device to the RADIUS server is wireless.
Examples
# Specify the NAS-Port-Type value of VLAN-interface 2 as IEEE 802.11 standard wireless interface.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] portal nas-port-type wireless
portal redirect-url
Use portal redirect-url to specify the autoredirection URL for authenticated portal users.
Use undo portal redirect-url to restore the default.
Syntax
portal redirect-url url-string
undo portal redirect-url
Default
An authenticated portal user is redirected to the URL that the user entered in the address bar before portal authentication.
Views
System view
Default command level
2: System level
Parameters
url-string: Autoredirection URL for authenticated portal users, a string of 1 to 127 characters. It must start with http:// or https:// and must be a fully qualified URL.
Usage guidelines
To use this feature for remote Layer 3 portal authentication, the portal server must be an IMC portal server that supports the page auto-redirection function.
Examples
# Configure the device to redirect a portal user to http://www.testpt.cn 3 seconds after the user passes portal authentication.
<Sysname> system-view
[Sysname] portal redirect-url http://www.testpt.cn
portal server
Use portal server to configure a portal server for Layer 3 portal authentication.
Use undo portal server to delete a portal server or restore default settings for parameters of a portal server.
Syntax
portal server server-name { ip ipv4-address [ key [ cipher | simple ] key-string | port port-id | server-type { cmcc | imc } | url url-string ] * | ipv6 ipv6-address [ key [ cipher | simple ] key-string | port port-id | url url-string ] * }
undo portal server server-name [ key | port | server-type | url ]
Default
No portal server is configured for Layer 3 portal authentication.
Views
System view
Default command level
2: System level
Parameters
server-name: Specifies a name for the portal server, a case-sensitive string of 1 to 32 characters.
ip ipv4-address: Specifies the IPv4 address of the portal server.
ipv6 ipv6-address: Specifies the IPv6 address of the portal server.
key: Specifies a shared key for communication with the portal server. Portal packets exchanged between the access device and the portal server carry an authenticator, which is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.
cipher: Sets a ciphertext shared key.
simple: Sets a plaintext shared key.
key-string: Specifies the shared key. This argument is case sensitive. If simple is specified, it must be a string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. If neither simple nor cipher is specified, you set a plaintext shared key.
port port-id: Specifies the destination port number used when the device sends an unsolicited message to the portal server, in the range of 1 to 65534. The default is 50100.
server-type { cmcc | imc }: Specifies the portal server type. The default is imc.
· cmcc: CMCC portal server. To use a CMCC portal server, you must also specify a device ID for the device by using the portal device-id command.
· imc: H3C IMC portal server or H3C CAMS portal server.
url url-string: Specifies the uniform resource locator (URL) to which HTTP packets are to be redirected. The default URL is in the http://ip-address format, where ip-address is the IP address of the portal server. You can also specify the domain name of the portal server, in which case you must use the portal free-rule command to configure the IP address of the DNS server as a portal authentication-free destination IP address.
Usage guidelines
If the specified portal server exists and no user is on the interfaces referencing the portal server, using the undo portal server server-name command removes the specified portal server. If the keyword port, server-type, or url is also provided, the undo command restores the default setting for the specified parameter of the server. If the key keyword is also provided, the undo command deletes the shared key configuration for the server.
The configured portal server and its parameters can be removed or modified only when the portal server is not referenced by an interface. To remove or modify the settings of a portal server that has been referenced by an interface, you must first remove the portal configuration on the interface by using the undo portal command.
For secrecy, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Configure portal server pts, setting the IP address to 192.168.0.111, the plaintext key to portal, and the redirection URL to http://192.168.0.111/portal.
<Sysname> system-view
[Sysname] portal server pts ip 192.168.0.111 key simple portal url http://192.168.0.111/portal
display portal server
portal server method
Use portal server method to enable Layer 3 portal authentication on an interface, and specify the portal server and the authentication mode to be used.
Use undo portal to disable the specified portal server or all portal servers on an interface.
Syntax
portal server server-name method { direct | layer3 | redhcp }
undo portal [ server server-name ]
Default
Layer 3 portal authentication is disabled on an interface.
Views
Interface view
Default command level
2: System level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters.
method: Specifies the authentication mode to be used.
direct: Direct authentication.
layer3: Cross-subnet authentication.
redhcp: Re-DHCP authentication.
Usage guidelines
The specified portal server must exist.
IPv6 portal authentication does not support the re-DHCP authentication mode.
You can enable both an IPv4 portal server and an IPv6 portal server for Layer 3 portal authentication on an interface, but you cannot enable two IPv4 or two IPv6 portal servers on the interface.
If you do not specify a portal server in the undo portal command, the command removes all Layer 3 portal authentication configuration on the interface.
Examples
# Enable Layer 3 portal authentication on interface VLAN-interface 100, referencing portal server pts and setting the authentication mode to direct.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal server pts method direct
display portal server
portal server server-detect
Use portal server server-detect to configure portal server detection, including the detection method, action, probe interval, and maximum number of probe attempts. When this function is configured, the device checks the status of the specified server periodically and takes the specified actions when the server status changes.
Use undo portal server server-detect to cancel the detection of the specified portal server.
Syntax
portal server server-name server-detect method { http | portal-heartbeat } * action { log | permit-all | trap } * [ interval interval ] [ retry retries ]
undo portal server server-name server-detect
Default
The portal server detection function is not configured.
Views
System view
Default command level
2: System level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.
server-detect method { http | portal-heartbeat }: Specifies the portal server detection method. Two detection methods are available:
· http: Probes HTTP connections. In this method, the access device periodically sends TCP connection requests to the HTTP service port of the portal servers enabled on its interfaces. If the TCP connection with a portal server can be established, the access device considers that the HTTP service of the portal server is open and the portal server is reachable—the detection succeeds. If the TCP connection cannot be established, the access device considers that the detection fails—the portal server is unreachable. If a portal server does not support the portal server heartbeat function, you can configure the device to use the HTTP probe method to detect the reachability of the portal server.
· portal-heartbeat: Probes portal heartbeat packets. Portal servers periodically send portal heartbeat packets to the access devices. If the access device receives a portal heartbeat packet from a portal server within the specified interval, the access device considers that the probe succeeds and the portal server is reachable; otherwise, it considers that the probe fails and the portal server is unreachable. This method is effective to only portal servers that support the portal heartbeat function. Currently, only the IMC portal server supports this function. To implement detection with this method, you also need to configure the portal server heartbeat function on the IMC portal server and make sure that the server heartbeat interval configured on the portal server is shorter than or equal to the probe interval configured on the device.
action { log | permit-all | trap }: Specifies the actions to be taken when the status of a portal server changes. The following actions are available:
· log: Specifies the action as sending a log message. When the status (reachable/unreachable) of a portal server changes, the access device sends a log message. The log message contains the portal server name and the current state and original state of the portal server.
· permit-all: Specifies the action as disabling portal authentication—enabling portal authentication bypass. When the device detects that a portal server is unreachable, it disables portal authentication on the interface referencing the portal server, allowing all portal users on this interface to access network resources. When the access device receives the portal server heartbeat packets or authentication packets (such as login requests and logout requests), it re-enables the portal authentication function.
· trap: Specifies the action as sending a trap message. When the status (reachable/unreachable) of a portal server changes, the access device sends a trap message to the network management server (NMS). Trap message contains the portal server name and the current state of the portal server.
interval interval: Interval at which probe attempts are made. The interval argument ranges from 20 to 600 and defaults to 20, in seconds.
retry retries: Maximum number of probe attempts. The retries argument ranges from 1 to 5 and defaults to 3. If the number of consecutive, failed probes reaches this value, the access device considers that the portal server is unreachable.
Usage guidelines
You can specify one or more detection methods and the actions to be taken.
If both detection methods are specified, a portal server is regarded as unreachable as long as one detection method fails, and an unreachable portal server is regarded as recovered only when both detection methods succeed.
If multiple actions are specified, the system executes all the specified actions when the status of a portal server changes.
Deleting a portal server on the device will delete the detection function for the portal server.
If you configure the detection function for a portal server for multiple times, the last configuration takes effect. If you do not specify an optional parameter, the default setting of the parameter is used.
The portal server detection function takes effect only when the portal server is referenced on an interface.
Authentication-related packets from a portal server, such as logon requests and logoff requests, have the same effect as the portal heartbeat packets for the portal server detection function.
Related command: display portal server.
Examples
# Configure the device to detect portal server pts:
· Specifying both the HTTP probe and portal heartbeat probe methods
· Setting the probe interval to 600 seconds
· Specifying the device to send a server unreachable trap message, send a log message and disable portal authentication to permit unauthenticated portal users, if two consecutive probes fail.
<Sysname> system-view
[Sysname] portal server pts server-detect method http portal-heartbeat action log permit-all trap interval 600 retry 2
portal server user-sync
Use portal server user-sync to configure portal user information synchronization with a specific portal server. When this function is configured, the device periodically checks and responds to the user synchronization packet received from the specified portal server, so as to keep the consistency of the online user information on the device and the portal server.
Use undo portal server user-sync to cancel the portal user information synchronization configuration with the specified portal server.
Syntax
portal server server-name user-sync [ interval interval ] [ retry retries ]
undo portal server server-name user-sync
Default
The portal user synchronization function is not configured.
Views
System view
Default command level
2: System level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.
user-sync: Enables the portal user synchronization function.
interval interval: Specifies the interval at which the device checks the user synchronization packets. The interval argument ranges from 60 to 3600 and defaults to 300, in seconds.
retry retries: Specifies the maximum number of consecutive failed checks. The retries argument ranges from 1 to 5 and defaults to 4. If the access device finds that one of its users does not exist in the user synchronization packets from the portal server within N consecutive probe intervals (N = retries), it considers that the user does not exist on the portal server and logs the user off.
Usage guidelines
The user information synchronization function requires that a portal server supports the portal user heartbeat function (currently only the IMC portal server supports portal user heartbeat). To implement the portal user synchronization function, you also need to configure the user heartbeat function on the portal server and make sure that the user heartbeat interval configured on the portal server is shorter than or equal to the synchronization probe interval configured on the device.
Deleting a portal server on the device will delete the portal user synchronization configuration with the portal server.
If you configure the user synchronization function for a portal server for multiple times, the last configuration takes effect. If you do not specify an optional parameter, the default setting of the parameter is used.
For redundant user information on the device—information of the users considered as nonexistent on the portal server, the device deletes the information during the (N+1)th probe interval, where N equals to the value of retries configured in the portal server user-sync command.
Examples
# Configure the device to synchronize portal user information with portal server pts:
· Setting the synchronization probe interval to 600 seconds
· Specifying the device to log off users if information of the users does not exist in the user synchronization packets sent from the server in two consecutive probe intervals.
<Sysname> system-view
[Sysname] portal server pts user-sync interval 600 retry 2
portal url-param des-key
Use portal url-param des-key to configure a DES key for the parameter carried in the redirection URL.
Use undo portal url-param des-key to restore the default.
Syntax
portal url-param des-key { simple | cipher } key
undo portal url-param des-key
Default
The DES key is 12345678.
Views
System view
Default command level
2: System level
Parameters
simple: Sets a key in plaintext form.
cipher: Sets a key in encrypted form.
key: Specifies the key. Its plaintext form is a case-sensitive string of 8 characters. Its encrypted form is a case-sensitive string of 1 to 41 characters.
Examples
# Configure the plaintext DES key as test1234 for the parameter carried in the redirection URL.
<Sysname> system-view
[Sysname] portal url-param des-key simple test1234
portal url-param include
Use portal url-param include to configure the parameters carried in the redirection URL.
Use undo portal url include to delete the parameters carried in the redirection URL.
Syntax
portal url-param include { nas-id | nas-ip | { user-mac | ap-mac } [ des-encrypt ] | user-url | user-ip | ac-name | ssid } [ param-name param-name ]
undo portal url-param include { nas-id | nas-ip | { user-mac | ap-mac } [ des-encrypt ] | user-url | user-ip | ac-name | ssid } [ param-name ]
Default
No parameters are configured to be carried in the redirection URL.
Views
Interface view, system view
Default level
2: System level
Parameters
nas-id: Specifies the NAS ID parameter.
nas-ip: Specifies the NAS IP parameter. If the source IP address of portal packets has been specified for the interface by using the portal nas-ip command, the source IP address is carried in the redirection URL. Otherwise, the IP address of the user access interface is carried in the redirection URL.
user-mac: Specifies the user MAC parameter. In the redirection URL, the MAC address is a hexadecimal string in the format XX-XX-XX-XX-XX-XX.
ap-mac: Specifies the AP MAC parameter. In the redirection URL, the MAC address is a hexadecimal string in the format XX-XX-XX-XX-XX-XX.
des-encrypt: Specifies DES to encrypt the MAC address of the user or AP in the redirection URL. If you do not specify this keyword, the redirection URL contains a plaintext MAC address.
user-url: Specifies the user-requested URL parameter. If you do not specify this keyword, the IMC server uses the default parameter name for this parameter. With this keyword specified, the authenticated portal user will be redirected as follows:
· If an autoredirection URL is configured by the portal redirect-url command, the authenticated user is redirected to the autoredirection URL.
· If no autoredirection URL is configured, the authenticated user is redirected to the URL that the user requested before portal authentication.
user-ip: Specifies the user IP parameter. If you do not specify this keyword, the IMC server uses the default name userip for this parameter, and the CMCC server uses the default name wlanuserip for this parameter.
ac-name: Specifies the AC name parameter, which is configured by the portal device-id command. If you do not specify this keyword, the CMCC server uses the name wlanuserip for this parameter.
ssid: Specifies the SSID parameter. It is the name of the access service for the wireless user. If you do not specify this keyword, the CMCC server uses the default name ssid for this parameter.
param-name para-name: Specifies the included parameter name, a case-sensitive string of 1 to 20 characters, which contains only letters and digits. The included parameter and the specified parameter name is presented in the redirection URL in the format "para-name=param-value".
Usage guidelines
If you configure the device to carry the NAS ID parameter in the redirection URL, the device obtains the NAS ID in the following order:
1. Uses the NAS ID from the WLAN module.
2. Uses the NAS ID configured by using the nas-id-profile command in interface view, which is associated with the user VLAN.
3. Uses the NAS ID configured by using the nas-id command on the interface.
4. Uses the global NAS ID configured by using the portal nas-id command.
After the previous operations, if no NAS ID is found, the redirection URL does not carry the NAS ID parameter.
Configuration in system view applies to all portal users on all the device interfaces. Configuration in interface view has higher priority than that in system view.
Examples
# Configure carrying the NAS ID parameter in the redirection URL, with the parameter name as wlannasid.
<Sysname> system-view
[Sysname] portal url-param include nas-id param-name wlannasid
# Configure the DES-encrypted URL parameter user-mac carried in the redirection URL on VLAN-interface 10, with the parameter name as wlanusermac.
[Sysname] interface Vlan-interface10
[Sysname-Vlan-interface10] portal url-param include user-mac des-encrypt param-name wlanusermac
After the previous configuration, if the NAS ID is test, the redirection URL the device sent to the client 10.1.2.34 is as follows:
http://www.portal.com?wlanacname=0002.0010.100.00&wlanuserip=10.1.2.34&ssid=easy&wlannasid=test&wlanusermac=00-00-22-33-44-55
portal user-url
Use portal user-url redirect-url to configure a redirection URL based on a user-requested URL.
Use undo portal user-url to restore the default.
Syntax
portal user-url user-url-string redirect-url url-string
undo portal user-url
Default
No redirection URL is configured based on a user-requested URL.
Views
System view
Default level
2: System level
Parameters
user-url-string: Specifies the URL that a user requests. The URL must be complete and begin with http://. The URL string length is 1 to 127 characters.
redirect-url-string: Specifies the URL to which the user is redirected. The URL must be complete and begin with http://. The URL string length is 1 to 127 characters.
Usage guidelines
You can specify the URLs of portal authentication pages as the redirection URLs for user-requested URLs. Then, the device can push authentication pages based on the user-requested URLs.
Examples
# Configure the redirection URL as http://111.8.0.244:8080/portal for the user-requested URL http://5.5.5.5.
<Sysname> system-view
[Sysname] portal user-url http://5.5.5.5 redirect-url http://111.8.0.244:8080/portal
reset portal connection statistics
Use reset portal connection statistics to clear portal connection statistics on a specific interface or all interfaces.
Syntax
reset portal connection statistics { all | interface interface-type interface-number }
Views
User view
Default command level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
Examples
# Clear portal connection statistics on interface VLAN-interface 2.
<Sysname> reset portal connection statistics interface vlan-interface2
reset portal server statistics
Use reset portal server statistics to clear portal server statistics on a specific interface or all interfaces.
Syntax
reset portal server statistics { all | interface interface-type interface-number }
Views
User view
Default command level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
Examples
# Clear portal server statistics on interface VLAN-interface 2.
<Sysname> reset portal server statistics interface vlan-interface2
reset portal tcp-cheat statistics
Use reset portal tcp-cheat statistics to clear TCP spoofing statistics.
Syntax
reset portal tcp-cheat statistics
Views
User view
Default command level
1: Monitor level
Examples
# Clear TCP spoofing statistics.
<Sysname> reset portal tcp-cheat statistics
web-redirect
Use web-redirect to configure the mandatory webpage pushing function on an interface. After you configure this function on an interface and set the redirection interval, a user on the interface is forced to access a specific webpage when the user accesses network resources through Web for the first time. After a specific period of time, namely, the redirection interval, if the user sends a Web access request again, the system pushes the specified webpage to the user again.
Use undo web-redirect to restore the default.
Syntax
web-redirect url url-string [ interval interval ]
undo web-redirect
Default
This function is not configured on an interface.
Views
Interface view
Default command level
2: System level
Parameters
url-string: URL address to which a Web access request is to be redirected.
Interval: Redirection interval in seconds, in the range of 60 to 86400. The default is 86400.
Usage guidelines
You cannot configure both the portal function and the mandatory webpage pushing function on an interface. If you do so, the function configured later does not take effect.
If you execute this command repeatedly, the last configuration takes effect.
Examples
# Configure the mandatory webpage pushing function on VLAN-interface 100, setting the redirection URL address to http://192.0.0.1 and the interval to 3600 seconds.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] web-redirect url http://192.0.0.1 interval 3600
web-redirect track
Use web-redirect track to enable Web redirect track to monitor the interface status or signal information.
Use undo web-redirect track to disable Web redirect track.
Syntax
web-redirect track interface interface-type interface-number
undo web-redirect track
Default
Web redirect track is disabled.
Views
Interface view
Default command level
2: System level
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
Usage guidelines
This feature pushes a destination-unreachable notification webpage to users who attempt to access the Internet when it detects the following situations:
· The tracked interface is down.
· The tracked interface receives 2G signal or no signal.
Examples
# Enable Web redirect track on VLAN-interface 1 to track network signal information on Cellular-Ethernet 1/0/1.
[Sysname] interface vlan 1
[Sysname-Vlan-interface1] web-redirect track interface Cellular-Ethernet1/0/1
