retransmit number: Specifies the maximum number of times the device sends probe packets to a user before it receives a reply from the user. If this number is reached but the device still receives no reply from the portal user, the device considers that the portal user offline and logs out the user. number ranges from 2 to 5.

interval interval: Specifies the interval for sending probe packets, in the range of 5 to 120, in seconds.

Description

Use access-user detect to configure the online portal user detection function.

Use undo access-user detect to restore the default.

By default, the portal user detection function is not configured on an interface.

When this function is configured on an interface, the device sends ARP requests to portal users on the interface to check whether the portal users are still online. More specifically, if the interface receives no packets from a portal user within 3 minutes (not configurable), the device sends probe packets (ARP requests) to the portal user. If the device receives no reply from the portal server when the maximum number of probes is reached, the device logs off the portal user. If the device receives a reply from the portal server before the maximum number of probes is reached, it stops sending probe packets and starts to listen for the packets from the portal user for three minutes. The device repeats the process to detect whether portal users are online.

Examples

# Configure the portal user detection function on VLAN-interface 100, specifying the probe packets as ARP requests, maximum number of probe attempts as 3, and probe interval as 10 seconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] access-user detect type arp retransmit 3 interval 10

display portal acl

Syntax

display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Displays all portal access control lists (ACLs), including dynamic and static portal ACLs.

dynamic: Displays dynamic portal ACLs—ACLs generated dynamically after a user passes portal authentication.

static: Displays static portal ACLs—ACLs generated through portal related configuration, such as portal-free rule configuration.

interface interface-type interface-number: Displays the ACLs on the specified interface.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display portal acl to display the ACLs on a specified interface.

Examples

# Display all ACLs on interface VLAN-interface 2.

<Sysname> display portal acl all interface vlan-interface 2

Vlan-interface2 portal ACL rule:

Rule 0

Inbound interface : all

Type : static

Action : permit

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

MAC : 0000-0000-0000

Interface : any

VLAN : 2

Protocol : 0

Destination:

IP : 192.168.1.15

Mask : 255.255.255.255

Port : any

Rule 1

Inbound interface : all

Type : dynamic

Action : permit

Source:

IP : 8.8.8.8

Mask : 255.255.255.255

MAC : 0015-e9a6-7cfe

Interface : any

VLAN : 2

Protocol : 0

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Author ACL:

Number : 3001

Rule 2

Inbound interface : all

Type : static

Action : redirect

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

MAC : 0000-0000-0000

Interface : any

VLAN : 2

Protocol : 6

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Rule 3

Inbound interface : all

Type : static

Action : deny

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

MAC : 0000-0000-0000

Interface : any

VLAN : 2

Protocol : 0

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Rule 4

Inbound interface : all

Type : static

Action : permit

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

MAC : 0000-0000-0000

Interface : any

VLAN : 2

SSID : abcd

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : any

Table 1 Command output

Field	Description
Rule	Sequence number of the portal ACL, which is numbered from 0 in ascending order.
Inbound interface	Interface to which the portal ACL is bound.
Type	Type of the portal ACL.
Action	Match action in the portal ACL.
Source	Source information in the portal ACL.
IP	Source IP address in the portal ACL.
Mask	Subnet mask of the source IP address in the portal ACL.
MAC	Source MAC address in the portal ACL.
Interface	Source interface in the portal ACL.
VLAN	Source VLAN in the portal ACL.
SSID	Source SSID in the portal ACL.
Protocol	Protocol type in the portal ACL.
Destination	Destination information in the portal ACL.
IP	Destination IP address in the portal ACL.
Mask	Subnet mask of the destination IP address in the portal ACL.
Port	Destination transport layer port number in the portal ACL.
Author ACL	Authorization ACL information. It is displayed only when the value of the Type field is dynamic.
Number	Authorization ACL number assigned by the RADIUS server. None indicates that the server did not assign any ACL.

display portal connection statistics

Syntax

display portal connection statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display portal connection statistics to display portal connection statistics on a specified interface or all interfaces.

Examples

# Display portal connection statistics on interface VLAN-interface 1.

<Sysname> display portal connection statistics interface Vlan-interface 1

---------------Interface: Vlan-interface 1-----------------------

User state statistics:

State-Name User-Num

VOID 0

DISCOVERED 0

WAIT_AUTHEN_ACK 0

WAIT_AUTHOR_ACK 0

WAIT_LOGIN_ACK 0

WAIT_ACL_ACK 0

WAIT_NEW_IP 0

WAIT_USERIPCHANGE_ACK 0

ONLINE 1

WAIT_LOGOUT_ACK 0

WAIT_LEAVING_ACK 0

Message statistics:

Msg-Name Total Err Discard

MSG_AUTHEN_ACK 3 0 0

MSG_AUTHOR_ACK 3 0 0

MSG_LOGIN_ACK 3 0 0

MSG_LOGOUT_ACK 2 0 0

MSG_LEAVING_ACK 0 0 0

MSG_CUT_REQ 0 0 0

MSG_AUTH_REQ 3 0 0

MSG_LOGIN_REQ 3 0 0

MSG_LOGOUT_REQ 2 0 0

MSG_LEAVING_REQ 0 0 0

MSG_ARPPKT 0 0 0

MSG_PORT_REMOVE 0 0 0

MSG_VLAN_REMOVE 0 0 0

MSG_IF_REMOVE 6 0 0

MSG_IF_SHUT 0 0 0

MSG_IF_DISPORTAL 0 0 0

MSG_IF_UP 0 0 0

MSG_ACL_RESULT 0 0 0

MSG_AAACUTBKREQ 0 0 0

MSG_CUT_BY_USERINDEX 0 0 0

MSG_CUT_L3IF 0 0 0

MSG_IP_REMOVE 0 0 0

MSG_ALL_REMOVE 1 0 0

MSG_IFIPADDR_CHANGE 0 0 0

MSG_SOCKET_CHANGE 8 0 0

MSG_NOTIFY 0 0 0

MSG_SETPOLICY 0 0 0

MSG_SETPOLICY_RESULT 0 0 0

Table 2 Command output

Field	Description
User state statistics	Statistics on portal users.
State-Name	Name of a user state.
User-Num	Number of users in a specific state.
Message statistics	Statistics on messages.
Msg-Name	Message type.
Total	Total number of messages of a specific type.
Err	Number of erroneous messages of a specific type.
Discard	Number of discarded messages of a specific type.
MSG_AUTHEN_ACK	Authentication acknowledgment message.
MSG_AUTHOR_ACK	Authorization acknowledgment message.
MSG_LOGIN_ACK	Accounting acknowledgment message.
MSG_LOGOUT_ACK	Accounting-stop acknowledgment message.
MSG_LEAVING_ACK	Leaving acknowledgment message.
MSG_CUT_REQ	Cut request message.
MSG_AUTH_REQ	Authentication request message.
MSG_LOGIN_REQ	Accounting request message.
MSG_LOGOUT_REQ	Accounting-stop request message.
MSG_LEAVING_REQ	Leaving request message.
MSG_ARPPKT	ARP message.
MSG_PORT_REMOVE	Users-of-a-Layer-2-port-removed message.
MSG_VLAN_REMOVE	VLAN user removed message.
MSG_IF_REMOVE	Users-removed message, indicating the users on a Layer 3 interface were removed because the Layer 3 interface was removed.
MSG_IF_SHUT	Layer 3 interface shutdown message.
MSG_IF_DISPORTAL	Portal-disabled-on-interface message.
MSG_IF_UP	Layer 3 interface came up message.
MSG_ACL_RESULT	ACL deployment failure message.
MSG_AAACUTBKREQ	Message that AAA uses to notify portal to delete backup user information.
MSG_CUT_BY_USERINDEX	Force-user-offline message.
MSG_CUT_L3IF	Users-removed message, indicating the users on a Layer 3 interface were removed because they were logged out.
MSG_IP_REMOVE	User-with-an-IP-removed message.
MSG_ALL_REMOVE	All-users-removed message.
MSG_IFIPADDR_CHANGE	Interface IP address change message.
MSG_SOCKET_CHANGE	Socket change message.
MSG_NOTIFY	Notification message.
MSG_SETPOLICY	Set policy message for assigning security ACL.
MSG_SETPOLICY_RESULT	Set policy response message.

display portal free-rule

Syntax

display portal free-rule [ rule-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

rule-number: Specifies the number of a portal-free rule, in the range of 0 to 63.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display portal free-rule to display information about a specific portal-free rule or all portal-free rules.

Related commands: portal free-rule.

Examples

# Display information about portal-free rule 1.

<Sysname> display portal free-rule 1

Rule-Number 1:

Source:

IP : 2.2.2.0

Mask : 255.255.255.0

MAC : 0000-0000-0000

Interface : any

Vlan : 0

SSID : abcd

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Protocol : 0

Table 3 Command output

Field	Description
Rule-Number	Number of the portal-free rule
Source	Source information in the portal-free rule
IP	Source IP address in the portal-free rule
Mask	Subnet mask of the source IP address in the portal-free rule
MAC	Source MAC address in the portal-free rule
Interface	Source interface in the portal-free rule
Vlan	Source VLAN in the portal-free rule
SSID	Source SSID in the portal-free rule
Destination	Destination information in the portal-free rule
IP	Destination IP address in the portal-free rule
Mask	Subnet mask of the destination IP address in the portal-free rule
Protocol	Transport layer protocol in the portal-free rule

display portal interface

Syntax

display portal interface interface-type interface-number [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

interface-type interface-number: Specifies an interface by its type and number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display portal interface to display the portal configuration of an interface.

Examples

# Display the portal configuration of interface VLAN-interface 1.

<Sysname> display portal interface Vlan-interface 1

Interface portal configuration:

Vlan-interface 1: Portal running

Portal server: servername

Portal backup-group: 1

Authentication type: Layer3

Authentication domain: my-domain

Authentication network:

source address : 1.1.1.1 mask : 255.255.0.0

destination address : 2.2.2.0. mask : 255.255.255.0

Table 4 Command output

Field	Description
Interface portal configuration	Portal configuration on the interface.
Vlan-interface 1	Status of the portal authentication on the interface: · disabled—Portal authentication is disabled. · enabled—Portal authentication is enabled but is not functioning. · running—Portal authentication is functioning.
Portal server	Portal server referenced by the interface
Portal backup-group	ID number of the portal group to which the interface belongs. If the interface does not belong to any portal group, None is displayed. Support for displaying this message depends on the device model. For more information, see About the WX Series Access Controllers Command References.
Authentication type	Authentication mode enabled on the interface.
Authentication domain	Mandatory authentication domain of the interface.
Authentication network	Information of the portal authentication source subnet.
source address	IP address of the portal authentication source subnet.
mask	Subnet mask of the IP address of the portal authentication source subnet.

display portal local-server

Syntax

display portal local-server [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display portal local-server to display configuration information about the local portal server, including the supported protocol type, the referenced SSL server policy, and the SSID binding information.

Related commands: portal local-server and portal local-server bind.

Examples

# Display configuration information about the local portal server.

<Sysname> display portal local-server

Protocol: HTTPS

Server policy: policy1

Bind SSID list:

ssid1: file1.zip

ssid2: file1.zip

Table 5 Command output

Field	Description
Protocol	Protocol supported by the local portal server, HTTP or HTTPS.
Server policy	SSL server policy associated with the HTTPS service. If HTTP is configured, this field will be null.
Bind SSID list	SSID binding list. If no binding entry is configured, this field will be null. If the device does not support SSID binding, this field will not be displayed.

display portal server

Syntax

display portal server [ server-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display portal server to display information about a specific portal server or all portal servers.

Related commands: portal server.

Examples

# Display information about portal server aaa.

<Sysname> display portal server aaa

Portal server:

1)aaa:

IP : 192.168.0.111

Port : 50100

Key : portal

URL : http://192.168.0.111

Status : Up

Table 6 Command output

Field	Description
1)	Number of the portal server.
aaa	Name of the portal server.
IP	IP address of the portal server.
Port	Listening port on the portal server.
Key	Shared key for exchanges between the access device and portal server. Not configured is displayed if no key is configured.
URL	Address the packets are to be redirected to. Not configured is displayed if no address is configured.
Status	Current status of the portal server. Possible values include: · N/A—The server is not referenced on any interface, or the server detection function is not enabled. The reachability of the portal server is unknown. · Up—The portal server is referenced on an interface and the portal server detection function is enabled, and the portal server is reachable. · Down—The portal server is referenced on an interface and the portal server detection function is enabled, but the portal server is unreachable.

display portal server statistics

Syntax

display portal server statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and name.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display portal server statistics to display portal server statistics on a specific interface or all interfaces.

With the all keyword specified, the command displays portal server statistics by interface and therefore statistics about a portal server referenced by more than one interface may be displayed repeatedly.

Examples

# Display portal server statistics on VLAN-interface 1.

<Sysname> display portal server statistics interface Vlan-interface 1

---------------Interface: Vlan-interface 1----------------------

Server name: st

Invalid packets: 0

Pkt-Name Total Discard Checkerr

REQ_CHALLENGE 3 0 0

ACK_CHALLENGE 3 0 0

REQ_AUTH 3 0 0

ACK_AUTH 3 0 0

REQ_LOGOUT 1 0 0

ACK_LOGOUT 1 0 0

AFF_ACK_AUTH 3 0 0

NTF_LOGOUT 1 0 0

REQ_INFO 6 0 0

ACK_INFO 6 0 0

NTF_USERDISCOVER 0 0 0

NTF_USERIPCHANGE 0 0 0

AFF_NTF_USERIPCHANGE 0 0 0

ACK_NTF_LOGOUT 1 0 0

NTF_USERSYNC 2 0 0

ACK_NTF_USERSYNC 0 0 0

NTF_CHALLENGE 0 0 0

NTF_USER_NOTIFY 0 0 0

AFF_NTF_USER_NOTIFY 0 0 0

Table 7 Command output

Field	Description
Interface	Interface referencing the portal server
Server name	Name of the portal server
Invalid packets	Number of invalid packets
Pkt-Name	Packet type
Total	Total number of packets
Discard	Number of discarded packets
Checkerr	Number of erroneous packets
REQ_CHALLENGE	Challenge request message the portal server sends to the access device
ACK_CHALLENGE	Challenge acknowledgment message the access device sends to the portal server
REQ_AUTH	Authentication request message the portal server sends to the access device
ACK_AUTH	Authentication acknowledgment message the access device sends to the portal server
REQ_LOGOUT	Logout request message the portal server sends to the access device
ACK_LOGOUT	Logout acknowledgment message the access device sends to the portal server
AFF_ACK_AUTH	Affirmation message the portal server sends to the access device after receiving an authentication acknowledgement message
NTF_LOGOUT	Forced logout notification message the access device sends to the portal server
REQ_INFO	Information request message
ACK_INFO	Information acknowledgment message
NTF_USERDISCOVER	User discovery notification message the portal server sends to the access device
NTF_USERIPCHANGE	User IP change notification message the access device sends to the portal server
AFF_NTF_USERIPCHANGE	User IP change success notification message the portal server sends to the access device
ACK_NTF_LOGOUT	Forced logout acknowledgment message from the portal server
NTF_USERSYNC	User synchronization packet the access device received from the portal server
ACK_NTF_USERSYNC	User synchronization acknowledgment packet the access device sent to the portal server
NTF_CHALLENGE	Challenge request the access device sent to the portal server
NTF_USER_NOTIFY	User information notification message the access device sent to the portal server
AFF_NTF_USER_NOTIFY	NTF_USER_NOTIFY acknowledgment message the access device sent to the portal server

display portal tcp-cheat statistics

Syntax

display portal tcp-cheat statistics [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display portal tcp-cheat statistics to display TCP spoofing statistics.

Examples

# Display TCP spoofing statistics.

<Sysname> display portal tcp-cheat statistics

TCP Cheat Statistic:

Total Opens: 0

Resets Connections: 0

Current Opens: 0

Packets Received: 0

Packets Sent: 0

Packets Retransmitted: 0

Packets Dropped: 0

HTTP Packets Sent: 0

Connection State:

SYN_RECVD: 0

ESTABLISHED: 0

CLOSE_WAIT: 0

LAST_ACK: 0

FIN_WAIT_1: 0

FIN_WAIT_2: 0

CLOSING: 0

Table 8 Command output

Field	Description
TCP Cheat Statistic	TCP spoofing statistics
Total Opens	Total number of opened connections
Resets Connections	Number of connections reset through RST packets
Current Opens	Number of connections being set up
Packets Received	Number of received packets
Packets Sent	Number of sent packets
Packets Retransmitted	Number of retransmitted packets
Packets Dropped	Number of dropped packets
HTTP Packets Sent	Number of HTTP packets sent
Connection State	Statistics of connections in various states
ESTABLISHED	Number of connections in ESTABLISHED state
CLOSE_WAIT	Number of connections in CLOSE_WAIT state
LAST_ACK	Number of connections in LAST-ACK state
FIN_WAIT_1	Number of connections in FIN_WAIT_1 state
FIN_WAIT_2	Number of connections in FIN_WAIT_2 state
CLOSING	Number of connections in CLOSING state

display portal user

Syntax

display portal user { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and name.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display portal user to display information about portal users on a specific interface or all interfaces.

Examples

# Display information about portal users on all interfaces.

<Sysname> display portal user all

Index:2

State:ONLINE

SubState:NONE

ACL:NONE

Work-mode:Stand-alone

MAC IP Vlan Interface

---------------------------------------------------------------------

000d-88f8-0eab 2.2.2.2 0 Vlan-interface1

Index:3

State:ONLINE

SubState:NONE

ACL:3000

Work-mode:Primary

MAC IP Vlan Interface

---------------------------------------------------------------------

000d-88f8-0eac 3.3.3.3 0 Vlan-interface2

Total 2 user(s) matched, 2 listed.

Table 9 Command output

Field	Description
Index	Index of the portal user.
State	Current status of the portal user.
SubState	Current sub-status of the portal user.
ACL	Authorization ACL of the portal user.
Work-mode	User's working mode: · Primary. · Secondary. · Stand-alone.
MAC	MAC address of the portal user.
IP	IP address of the portal user.
Vlan	VLAN to which the portal user belongs.
Interface	Interface to which the portal user is attached.
Total 2 user(s) matched, 2 listed	Total number of portal users.

portal auth-network

Syntax

portal auth-network network-address { mask-length | mask }

undo portal auth-network { network-address | all }

View

Interface view

Default level

2: System level

Parameters

network-address: IP address of the authentication source subnet.

mask-length: Length of the subnet mask, in the range of 0 to 32.

mask: Subnet mask, in dotted decimal notation.

all: Specifies all authentication source subnets.

Description

Use portal auth-network to configure a portal authentication source subnet on an interface. You can use this command to configure multiple portal authentication source subnets on an interface. Then, only HTTP packets from the subnets can trigger portal authentication on the interface. If an unauthenticated user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.

Use undo portal auth-network to remove a specific portal authentication source subnet or all portal authentication subnets.

By default, the portal authentication source subnet is 0.0.0.0/0, meaning that users in all subnets must pass portal authentication.

This command is only applicable for cross-subnet authentication (layer3). The portal authentication source subnet for direct authentication (direct) can be any source IP address, and the portal authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP address of the interface connecting the users.

You can configure up to 32 authentication source subnets by executing the portal auth-network command repeatedly.

Examples

# Configure a portal authentication source subnet of 10.10.10.0/24 on interface VLAN-interface 2 to allow users from subnet 10.10.10.0/24 to trigger portal authentication.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname–Vlan-interface2] portal auth-network 10.10.10.0 24

portal backup-group

Syntax

portal backup-group group-id

undo portal backup-group

View

Interface view

Default level

2: System level

Parameters

group-id: Portal group ID, in the range of 1 to 256.

Description

Use portal backup-group to specify the portal group to which the interface belongs. The portal service backup interfaces in the same portal group back up the portal user data of each other.

Use undo portal backup-group to restore the default.

By default, a portal service backup interface does not belong to any portal group.

In a stateful failover networking environment, with portal service backup configured, the source backup device sends the portal user data from the local portal service backup interface to the corresponding portal service backup interface on the destination backup device, which then saves the data. This command is used to associate the specified portal service backup interfaces on the two devices.

In this document, an interface for backing up portal services is called "portal service backup interface", which is different from the stateful failover interface for backing up service data and transmitting state negotiation packets.

After an interface on a device is added to a portal group, the other interfaces on the device cannot be added to the portal group.

On two devices that backup each other, the portal service backup interface on both devices must be up and belong to the same portal group and enabled with portal authentication; otherwise, user data on the two portal service backup interfaces cannot be synchronized.

NOTE:

Support for this command depends on the device model. For more information, see About the WX Series Access Controllers Command References.

Examples

# In the stateful failover networking environment, add the portal service backup interface VLAN-interface 1 to portal group 1 on the source backup device.

<Sysname> system-view

[Sysname] interface vlan-interface 1

[Sysname-Vlan-interface1] portal backup-group 1

On the peer device (destination backup device), you must also add the corresponding service backup interface to portal group 1.

portal delete-user

Syntax

portal delete-user { ip-address | all | interface interface-type interface-number }

View

System view

Default level

2: System level

Parameters

ip-address: Logs off the user with the specified IP address.

all: Logs off all users.

interface interface-type interface-number: Logs off all users on the specified interface.

Description

Use portal delete-user to log off users.

Related commands: display portal user.

Examples

# Log out the user whose IP address is 1.1.1.1.

<Sysname> system-view

[Sysname] portal delete-user 1.1.1.1

portal domain

Syntax

portal domain domain-name

undo portal domain

View

Interface view

Default level

2: System level

Parameters

domain-name: ISP domain name, a case-insensitive string of 1 to 24 characters. The domain specified by this argument must already exist.

Description

Use portal domain to specify an authentication domain for an interface. Then, the device will use the authentication domain for authentication, authorization and accounting (AAA) of the portal users on the interface.

Use undo portal domain to restore the default.

By default, no authentication domain is specified for an interface.

Related commands: display portal interface.

Examples

# Configure the authentication domain to be used for portal users on VLAN-interface 100 as my-domain.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal domain my-domain

portal forbidden-rule

Syntax

portal forbidden-rule rule-number destination { ip { hostname | ip-address [ mask { mask-length | netmask } ] } | { { tcp | udp } port-number } } *

undo portal forbidden-rule rule-number

View

System view

Default level

2: System level

Parameters

rule-number: Specifies a number for the portal-forbidden rule, in the range of 0 to 63.

destination ip: Specifies a destination resource for the portal-forbidden rule

hostname: Specifies a domain name for the portal-forbidden rule.

ip-address: Specifies an IP address for the portal-forbidden rule.

mask { mask-length | netmask }: Specifies a mask or mask length for the IP address. The mask argument is a subnet mask in dotted decimal notation. The mask-length argument is a subnet mask length, an integer in the range of 0 to 32.

tcp port-number: Specifies a TCP port number, in the range of 0 to 65535.

udp port-number: Specifies a UDP port number, in the range of 0 to 65535.

Description

Use portal forbidden-rule to configure a portal-forbidden rule and specify the forbidden resource to access.

Use undo portal forbidden-rule to remove a portal-forbidden rule or all portal-forbidden rules.

You can create or remove a portal-forbidden rule, but cannot modify a portal-forbidden rule.

Examples

# Configure a portal-forbidden rule, denying any packet whose destination domain name is www.xyz.com.

<Sysname> system-view

[Sysname] portal forbidden-rule 10 destination ip www.xyz.com

# Configure a portal-forbidden rule, denying any packet whose destination TCP port number is 80.

<Sysname> system-view

[Sysname] portal forbidden-rule 13 destination tcp 80

# Configure a portal-forbidden rule, denying any packet whose destination IP address is 2.2.2.2/24.

<Sysname> system-view

[Sysname] portal forbidden-rule 14 destination ip 2.2.2.2 mask 32

portal free-rule

Syntax

portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | netmask } | any } | hostname hostname } | source { any | [ { interface interface-type interface-number | wlan ssid ssid } | ip { ip-address mask { mask-length | netmask } | any } | mac mac-address | vlan vlan-id ] * } } *

undo portal free-rule { rule-number | all }

View

System view

Default level

2: System level

Parameters

rule-number: Specifies a number for the portal-free rule, in the range of 0 to 63.

any: Imposes no limitation on the previous keyword.

ip ip-address: Specifies an IP address.

mask { mask-length | netmask }: Specifies the mask of the IP address, which can be in dotted decimal notation or an integer in the range of 0 to 32.

interface interface-type interface-number: Specifies a source interface.

hostname hostname: Specifies a domain name for the portal-free rule. Users can access the domain name without portal authentication.

wlan: Specifies WLAN parameters.

ssid ssid: Specifies an SSID by its name, a case-insensitive string of 1 to 32 characters.

mac mac-address: Specifies a source MAC address in the format H-H-H.

vlan vlan-id: Specifies a source VLAN ID.

all: Specifies all portal-free rules.

Description

Use portal free-rule to configure a portal-free rule and specify the source filtering condition, destination filtering condition, or both.

Use undo portal free-rule to remove a specific portal-free rule or all portal-free rules.

If you specify both the source IP address and source MAC address, the IP address must be a host address with a 32-bit mask. Otherwise, the specified MAC address does not take effect.

If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN. Otherwise, the rule does not take effect.

You cannot configure a portal-free rule to have the same filtering criteria as that of an existing one. Otherwise, the system prompts that the rule already exists.

Regardless of whether portal authentication is enabled or not you can only add or remove a portal-free rule, but you cannot modify it.

A Layer 2 interface in an aggregation group cannot be specified as the source interface of a portal-free rule, and the source interface of a portal-free rule cannot be added to an aggregation group.

Related commands: display portal free-rule.

Examples

# Configure a portal-free rule, allowing any packet whose source IP address is 10.10.10.1/24 and source interface is GigabitEthernet 1/0/1 to bypass portal authentication.

<Sysname> system-view

[Sysname] portal free-rule 15 source ip 10.10.10.1 mask 24 interface GigabitEthernet1/0/1 destination ip any

# Configure a portal-free rule, allowing WLAN packets with SSID of test to bypass portal authentication.

<Sysname> system-view

[Sysname] portal free-rule 15 source wlan ssid test

# Configure a portal-free rule, allowing any packet whose destination domain name is http://www.xyz.com to bypass portal authentication.

<Sysname> system-view

[Sysname] portal free-rule 10 destination hostname http://www.xyz.com

portal local-server

Syntax

portal local-server { http | https server-policy policy-name }

undo portal local-server { http | https }

View

System view

Default level

2: System level

Parameters

http: Specifies that the local portal server use HTTP to exchange authentication packets with clients.

https: Specifies that the local portal server use HTTPS to exchange authentication packets with clients.

server-policy policy-name: Specifies the SSL server policy to be associated with the HTTPS service. policy-name indicates an SSL server policy name, a case-insensitive string of 1 to 16 characters.

Description

Use portal local-server to configure the protocol type to be supported by the local portal server and load the default authentication page file.

Use undo portal local-server to cancel the configuration.

By default, the local portal server does not support any protocol type.

· When executing this command, the local portal server will load the default authentication page file, which is supposed to be saved in the root directory of the device. To make sure that the local portal server uses the user-defined default authentication pages, edit and save them properly before executing this command. Otherwise, the system default authentication pages will be used.

· If you specify HTTP in this command, the redirection URL for HTTP packets is in the format of http://IP address of the device/portal/logon.htm, and clients and the portal server exchange authentication information through HTTP.

· If you specify HTTPS in this command, the redirection URL for HTTP packets is in the format of https://IP address of the device/portal/logon.htm, and clients and the portal server exchange authentication information through HTTPS.

· You cannot remove an SSL server policy using the undo ssl server-policy command if the policy has been referenced by the HTTPS service.

· On the device, all the SSL server policies referenced by the HTTPS service must be the same.

· If an online portal user exists on the device, you cannot remove or change the configured protocol type, or modify the SSL server policies referenced.

· To change the SSL server policy referenced by HTTPS service, you must cancel the HTTPS configuration using the undo portal local-server https command, and then specify the desired SSL server policy.

Related commands: display portal local-server and ssl server-policy.

Examples

# Configure the local portal server to support HTTP.

<Sysname> system-view

[Sysname] portal local-server http

# Configure the local portal server to support HTTPS and reference SSL server policy policy1, which has been configured already.

<Sysname> system-view

[Sysname] portal local-server https server-policy policy1

# Change the referenced SSL server policy to policy2.

[Sysname] undo portal local-server https

[Sysname] portal local-server https server-policy policy2

portal local-server bind

Syntax

portal local-server bind ssid ssidname&<1-10> file filename

undo portal local-server bind { ssid ssidname&<1-10> | all }

View

System view

Default level

2: System level

Parameters

ssid ssidname&<1-10>: Specifies the SSIDs to be bound. The ssidname argument indicates the identifier of an SSID service template, a case-insensitive string of 1 to 32 characters. An SSID string can contain letters, numerals, and spaces, but cannot include spaces at the beginning or end of the string and cannot be f, fi, fil, or file. &<1-10> indicates that you can specify one to ten SSIDs.

file filename: Specifies the file to be bound. The filename argument indicates the name of a customized authentication page file, excluding the path. The filename argument is a string of 1 to 91 characters, and can contain letters, numerals, and underscores. You can edit authentication page files and save them in the portal directory under the root directory of the access device.

all: Specifies all the bound SSIDs.

Description

Use portal local-server bind to configure a binding between one or more SSIDs and an authentication page file. According to the configuration, the local portal server will push the authentication pages of the specified file to the specified SSID clients.

Use undo portal local-server bind to cancel the binding between the customized page file and the specified or all SSIDs.

By default, no binding is configured.

When a user accesses the portal page, if no SSID-to-customized page file binding is configured on the device, the local portal server will push the default authentication pages to the client; if there is such a binding is configured on the device, the local portal server will push the corresponding authentication pages to the client based on the customized page file that is bound with the SSID of the user logon interface.

If the name or contents of the file in a binding entry are changed, you must re-configure the binding.

To modify a binding, simply re-execute the portal local-server bind command, without canceling the existing binding.

If you bind the same SSID to different authentication page files, the last binding takes effect.

Up to 128 binding entries are allowed on the device.

Related commands: display portal local-server.

Examples

# Bind SSID1 and SSID2 to the customized authentication page file named file12.zip.

<Sysname> system-view

[Sysname] portal local-server bind ssid ssid1 ssid2 file file12.zip

portal log packet

Syntax

portal log packet

undo portal log packet

View

System view

Default level

2: System level

Parameters

None

Description

Use portal log packet to enable logging for portal packets.

Use undo portal max-user to disable logging for portal packets.

By default, the portal packet logging function is disabled.

Examples

# Enable logging for portal packets.

<Sysname> system-view

[Sysname] portal log packet

portal mac-trigger enable

Syntax

portal mac-trigger enable [ period period-value ] [ threshold threshold-value ]

undo portal mac-trigger enable

View

VLAN interface view

Default level

2: System level

Parameters

period period-value: Specifies the interval at which the access device collects statistics for user traffic. The period-value argument ranges from 60 to 7200 and defaults to 300, in seconds.

threshold threshold-value: Specifies the traffic threshold that triggers MAC-based quick portal authentication. The threshold-value argument ranges from 0 to 10240000 and defaults to 0, in bytes. A value of 0 means that the device performs MAC-based quick portal authentication for a portal user as long as the user accesses the network, and only allows the traffic that is permitted by portal-free rules before the user passes the authentication. A bigger threshold means that more traffic is allowed before authentication. Set a proper threshold as needed.

Description

Use portal mac-trigger enable to enable MAC-based quick portal authentication (also referred to as MAC-triggered authentication) on an interface.

Use undo portal mac-trigger enable to restore the default.

By default, MAC-triggered authentication is disabled.

The access device checks portal user traffic in real time. In one statistical interval, a user can access the external network before the user's traffic reaches the threshold. When the user's traffic reaches the threshold, the device triggers MAC-based quick portal authentication for the user. If the user passes the authentication, the user can continue accessing the network, the statistics are cleared, and a new statistical interval starts. If the user fails the authentication, the user cannot access the network in the current interval, the statistics are cleared when the interval expires, and a new statistical interval starts.

To enable MAC-triggered authentication, you must compete the following tasks:

· Complete basic Layer 3 portal authentication configuration.

· Specify the IP address and port number of a MAC binding server.

· Enable MAC-triggered authentication on the interface enabled with Layer 3 portal authentication.

· Use portal server to specify the MAC binding server's IP address as the portal server's IP address, and specify any name for the portal server. You do not need to specify other parameters in the portal server command.

Related commands: portal mac-trigger server, portal server method, portal server.

NOTE:

Support for this command depends on the device model. For more information, see About the H3C WX Access Controller Series Command References.

Examples

# Enable MAC-triggered authentication on a VLAN interface, specify the traffic inspection interval as 300 seconds, and specify the traffic threshold as 10240 bytes.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] portal mac-trigger enable period 300 threshold 10240

portal mac-trigger server

Syntax

portal mac-trigger server ip ip-address [ port port-number ]

undo portal mac-trigger server

View

System view

Default level

2: System level

Parameters

ip ip-address: Specifies the IPv4 address of a MAC binding server.

port port-number: Specifies the UDP port number that the MAC binding server uses to listen to the MAC binding requests from the access device. The port-number argument ranges from 1 to 65534 and defaults to 50100.

Description

Use portal mac-trigger server to specify a MAC binding server.

Use undo portal mac-trigger server to restore the default.

By default, no MAC binding server is specified.

A MAC binding server records MAC-to-account information for portal users. When the MAC binding server receives a MAC binding query from the access device, it checks whether the MAC address has a match. If yes, the MAC binding server obtains the user's account information, and sends the user's username and password to the portal server for portal authentication.

Related commands: portal mac-trigger enable.

NOTE:

Support for this command depends on the device model. For more information, see About the H3C WX Access Controller Series Command References.

Examples

# Specify the MAC binding server whose IP address is 2.2.2.2 and port number is 50111.

<Sysname> system-view

[Sysname] portal mac-trigger server ip 2.2.2.2 port 50111

portal max-user

Syntax

portal max-user max-number

undo portal max-user

View

System view

Default level

2: System level

Parameters

max-number: Maximum number of online portal users allowed in the system. The value range varies with the device model. For more information, see About the WX Series Access Controllers Command References.

Description

Use portal max-user to set the maximum number of online portal users allowed in the system.

Use undo portal max-user to restore the default.

By default, the maximum number of portal users allowed depends on the device model. For more information, see About the WX Series Access Controllers Command References.

If the maximum number of portal users specified in the command is less than that of the current online portal users, the command can be executed successfully and does not impact the online portal users. However, the system will not allow new portal users to log in until the number drops down below the limit.

Examples

# Set the maximum number of portal users allowed in the system to 100.

<Sysname> system-view

[Sysname] portal max-user 100

portal nas-id-profile

Syntax

portal nas-id-profile profile-name

undo portal nas-id-profile

View

Interface view

Default level

2: System level

Parameters

profile-name: Name of the profile that defines the binding relationship between VLANs and NAS IDs, a case-insensitive string of 1 to 16 characters. The profile can be configured by using the aaa nas-id profile command. For more information about this command, see "AAA configuration commands."

Description

Use portal nas-id-profile to specify a NAS ID profile for the interface.

Use undo portal nas-id-profile to cancel the configuration.

By default, an interface is not specified with any NAS ID profile.

If an interface is specified with a NAS ID profile, the interface will prefer to use the binding defined in the profile. If no NAS ID profile is specified for an interface or no matching binding is found in the specified profile, the device uses the device name as the interface NAS ID.

Examples

# Specify NAS ID profile aaa for VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal nas-id-profile aaa

portal nas-ip

Syntax

portal nas-ip ip-address

undo portal nas-ip

View

Interface view

Default level

2: System level

Parameters

ip-address: Source IP address to be specified for portal packets. This IP address must be a local IP address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.

Description

Use portal nas-ip to configure the source IP address for the interface to use for portal packets to be sent.

Use undo portal nas-ip to restore the default.

By default, no source IP address is specified, and the IP address of the user access interface is used as the source IP address of the portal packets.

Examples

# Configure the source IP address for portal packets to be sent on VLAN-interface 5 as 2.2.2.2.

<Sysname> system-view

[Sysname] interface vlan-interface 5

[Sysname-Vlan-interface5] portal nas-ip 2.2.2.2

portal nas-port-type

Syntax

portal nas-port-type { ethernet | wireless }

undo portal nas-port-type

View

Interface view

Default level

2: System level

Parameters

ethernet: Specifies the access port type as Ethernet, which corresponds to code 15.

wireless: Specifies the access port type as IEEE 802.11 standard wireless interface, which corresponds to code 19. This keyword is usually specified on an interface for wireless portal users to make sure that the NAS-Port-Type value delivered by the access device to the RADIUS server is wireless.

Description

Use portal nas-port-type to specify the access port type (indicated by the NAS-Port-Type value) on the current interface. The specified NAS-Port-Type value will be carried in the RADIUS requests sent from the device to the RADIUS server.

Use undo portal nas-port-type to restore the default.

By default, the access port type of an interface is not specified, and the NAS-Port-Type value carried in RADIUS requests is the user access port type obtained by the access device.

Examples

# Specify the NAS-Port-Type value of VLAN-interface 2 as IEEE 802.11 standard wireless interface.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal nas-port-type wireless

portal redirect-url

Syntax

portal redirect-url url-string [ wait-time period ]

undo portal redirect-url

View

System view

Default level

2: System level

Parameters

url-string: Auto redirection URL for authenticated portal users, a string of 1 to 127 characters. It must start with http:// or https:// and must be a fully qualified URL.

period: Time that the device must wait before redirecting a user passing portal authentication to the auto redirection URL. It ranges from 1 to 90 and defaults to 5, in seconds.

Description

Use portal redirect-url to specify the auto redirection URL for authenticated portal users.

Use undo portal redirect-url to restore the default.

By default, a user authenticated is redirected to the URL the user typed in the address bar before portal authentication.

With Layer 3 portal authentication, this feature requires the cooperation of the IMC server and the IMC must support the page auto-redirection function.

The wait-time period option is effective to only local portal authentication.

Examples

# Configure the device to redirect a portal user to http://www.testpt.cn 3 seconds after the user passes portal authentication.

<Sysname> system-view

[Sysname] portal redirect-url http://www.testpt.cn wait-time 3

portal server

Syntax

portal server server-name ip ip-address [ key key-string | port port-id | server-type { cmcc | imc } | url url-string ] *

undo portal server server-name [ key | port | url ]

View

System view

Default level

2: System level

Parameters

server-name: Name of the portal server, a case-sensitive string of 1 to 32 characters.

ip-address: IP address of the portal server. If you specify the local portal server, the IP address specified must be that of a Layer 3 interface on the device and must be reachable from the portal clients. In portal stateful failover environments, however, you are recommended to specify the virtual IP address of the VRRP group to which the downlink belongs.

key-string: Shared key for communication with the portal server, a case-sensitive string of 1 to 16 characters. Portal packets exchanged between the access device and the portal server carry an authenticator, which is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

port-id: Destination port number used when the device sends an unsolicited message to the portal server, in the range of 1 to 65534. The default is 50100.

server-type { cmcc | imc }: Specifies the portal server type. The default is imc. Support for this keyword combination depends on the device model.

· cmcc: CMCC portal server. To use a CMCC portal server, you must also specify a device ID for the device by using the portal device-id command.

· imc: H3C IMC portal server or H3C CAMS portal server.

url-string: Uniform resource locator (URL) to which HTTP packets are to be redirected. The default URL is in the http://ip-address format, where ip-address is the IP address of the portal server. You can also specify the domain name of the portal server, in which case you must use the portal free-rule command to configure the IP address of the DNS server as a portal authentication-free destination IP address.

Description

Use portal server to configure a portal server for Layer 3 portal authentication.

Use undo portal server to remove a portal server, restore the default destination port and default URL address, or delete the shared key.

By default, no portal server is configured for Layer 3 portal authentication.

Note the following guidelines when you configure a portal server:

· The specified server name and URL string cannot contain any of these characters: ?<>\''%'&#

· If the specified portal server exists and no user is on the interfaces referencing the portal server, using the undo portal server server-name command removes the specified portal server, and if keyword port or url is also provided, the command will restore the destination port number or URL address to the default.

· The configured portal server and its parameters can be removed or modified only when the portal server is not referenced by an interface. To remove or modify the settings of a portal server that has been referenced by an interface, you must first remove the portal configuration on the interface by using the undo portal command.

· For local portal server configuration, the keywords key, port, and url are usually not required and, if configured, will not take effect. When using local portal servers for stateful failover in wireless environments, however, the keyword url is required and the address format must be http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm. Which address format is used depends the protocol type (HTTP or HTTPS, configured by the portal local-server command) supported by the local portal servers. The ip-address is the virtual IP address of the VRRP group to which the downlink belongs.

Related commands: display portal server.

Examples

# Configure portal server pts, setting the IP address to 192.168.0.111, the key to portal, and the redirection URL to http://192.168.0.111/portal.

<Sysname> system-view

[Sysname] portal server pts ip 192.168.0.111 key portal url http://192.168.0.111/portal

portal server banner

Syntax

portal server banner banner-string

undo portal server banner

View

System view

Default level

2: System level

Parameters

banner-string: Welcome banner for the web page, a case-sensitive string of 1 to 50 characters. It cannot contain the less-than sign (<) or the and sign (&). If multiple continuous spaces exist in the string, the browser will recognize them as one.

Description

Use portal server banner to configure the welcome banner of the default web page provided by the local portal server.

Use undo portal server banner to restore the default.

By default, no web page welcome banner is configured.

The configured welcome banner is applied to only the default authentication pages, rather than the customized authentication pages.

Examples

# Configure the welcome banner of the default web page provided by the local portal server as Welcome to Portal Authentication.

<Sysname> system-view

[Sysname] portal server banner Welcome to Portal Authentication

portal server method

Syntax

portal server server-name method { direct | layer3 | redhcp }

undo portal

View

Interface view

Default level

2: System level

Parameters

server-name: Name of the portal server, a case-sensitive string of 1 to 32 characters.

method: Specifies the authentication mode to be used.

direct: Direct authentication.

layer3: Cross-subnet authentication.

redhcp: Re-DHCP authentication.

Description

Use portal server method to enable Layer 3 portal authentication on an interface, and specify the portal server and the authentication mode to be used.

Use undo portal to disable Layer 3 portal authentication on an interface.

By default, Layer 3 portal authentication is disabled on an interface.

The specified portal server must exist.

For the local portal server, the re-DHCP authentication mode can be configured but will not take effect.

Related commands: display portal server.

Examples

# Enable Layer 3 portal authentication on interface VLAN-interface 100, referencing portal server pts and setting the authentication mode to direct.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal server pts method direct

portal server server-detect

Syntax

portal server server-name server-detect method { http | portal-heartbeat } * action { log | permit-all | trap } * [ interval interval ] [ retry retries ]

undo portal server server-name server-detect

View

System view

Default level

2: System level

Parameters

server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.

server-detect method { http | portal-heartbeat }: Specifies the portal server detection method. Two detection methods are available:

· http: Probes HTTP connections. In this method, the access device periodically sends TCP connection requests to the HTTP service port of the portal servers enabled on its interfaces. If the TCP connection with a portal server can be established, the access device considers that the HTTP service of the portal server is open and the portal server is reachable—the detection succeeds. If the TCP connection cannot be established, the access device considers that the detection fails—the portal server is unreachable. If a portal server does not support the portal server heartbeat function, you can configure the device to use the HTTP probe method to detect the reachability of the portal server.

· portal-heartbeat: Probes portal heartbeat packets. Portal servers periodically send portal heartbeat packets to the access devices. If the access device receives a portal heartbeat packet from a portal server within the specified interval, the access device considers that the probe succeeds and the portal server is reachable; otherwise, it considers that the probe fails and the portal server is unreachable. This method is effective to only portal servers that support the portal heartbeat function. Only the IMC portal server supports this function. To implement detection with this method, you also need to configure the portal server heartbeat function on the IMC portal server and make sure that the server heartbeat interval configured on the portal server is shorter than or equal to the probe interval configured on the device.

action { log | permit-all | trap }: Specifies the actions to be taken when the status of a portal server changes. The following actions are available:

· log: Specifies the action as sending a log message. When the status (reachable/unreachable) of a portal server changes, the access device sends a log message. The log message contains the portal server name and the current state and original state of the portal server.

· permit-all: Specifies the action as disabling portal authentication—enabling portal authentication bypass. When the device detects that a portal server is unreachable, it disables portal authentication on the interface referencing the portal server, allowing all portal users on this interface to access network resources. When the access device receives the portal server heartbeat packets or authentication packets (such as login requests and logout requests), it re-enables the portal authentication function.

· trap: Specifies the action as sending a trap message. When the status (reachable/unreachable) of a portal server changes, the access device sends a trap message to the network management server (NMS). Trap message contains the portal server name and the current state of the portal server.

interval interval: Specifies the interval at which probe attempts are made. The interval argument ranges from 20 to 600 and defaults to 20, in seconds.

retry retries: Specifies the maximum number of probe attempts. The retries argument ranges from 1 to 5 and defaults to 3. If the number of consecutive, failed probes reaches this value, the access device considers that the portal server is unreachable.

Description

Use portal server server-detect to configure portal server detection, including the detection method, action, probe interval, and maximum number of probe attempts. With this function configured, the device checks the status of the specified server periodically and takes the specified actions when the server status changes.

Use undo portal server server-detect to cancel the detection of the specified portal server.

By default, the portal server detection function is not configured.

Note the following guidelines when you configure the portal server detection function:

· You can specify one or more detection methods and the actions to be taken.

· If you specify both detection methods, a portal server is regarded as unreachable as long as one detection method fails, and an unreachable portal server is regarded as recovered only when both detection methods succeed.

· If you specify multiple actions, the system executes all the specified actions when the status of a portal server changes.

· If you configure the detection function for a portal server for multiple times, the last configuration takes effect. If you do not specify an optional parameter, the default setting of the parameter is used.

Deleting a portal server on the device also deletes the detection function for the portal server.

The portal server detection function takes effect only when the portal server is referenced on an interface.

Authentication-related packets from a portal server, such as logon requests and logoff requests, have the same effect as the portal heartbeat packets for the portal server detection function.

Related command: display portal server.

Examples

# Configure the device to detect portal server pts, and

· Specify both the HTTP probe and portal heartbeat probe methods

· Set the probe interval to 600 seconds

· Specify the device to send a server unreachable trap message, send a log message, and disable portal authentication to permit unauthenticated portal users, if two consecutive probes fail.

<Sysname> system-view

[Sysname] portal server pts server-detect method http portal-heartbeat action log permit-all trap interval 600 retry 2

portal server user-sync

Syntax

portal server server-name user-sync [ interval interval ] [ retry retries ]

undo portal server server-name user-sync

View

System view

Default level

2: System level

Parameters

server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal server must have existed.

user-sync: Enables the portal user synchronization function.

interval interval: Specifies the interval at which the device examines the user synchronization packets. The interval argument ranges from 60 to 3600 and defaults to 300, in seconds.

retry retries: Specifies the maximum number of consecutive failed checks. The retries argument ranges from 1 to 5 and defaults to 4. If the access device finds that one of its users does not exist in the user synchronization packets from the portal server within N consecutive probe intervals (N = retries), it considers that the user does not exist on the portal server and logs the user off.

Description

Use portal server user-sync to configure portal user information synchronization with a specific portal server. With this function configured, the device periodically examines and responds to the user synchronization packets received from the specified portal server, so as to keep the consistency of the online user information on the device and the portal server.

Use undo portal server user-sync to cancel the portal user information synchronization configuration with the specified portal server.

By default, the portal user synchronization function is not configured.

· The user information synchronization function requires that a portal server supports the portal user heartbeat function (only the IMC portal server supports portal user heartbeat). To implement the portal user synchronization function, you also need to configure the user heartbeat function on the portal server and make sure that the user heartbeat interval configured on the portal server is shorter than or equal to the synchronization probe interval configured on the device.

· Deleting a portal server on the device will delete the portal user synchronization configuration with the portal server.

· If you configure the user synchronization function for a portal server for multiple times, the last configuration will take effect. If you do not specify an optional parameter, the default setting of the parameter will be used.

· For redundant user information on the device—information of the users considered as nonexistent on the portal server, the device will delete the information during the (N+1)th probe interval, where N equals to the value of retries configured in the portal server user-sync command.

Examples

# Configure the device to synchronize portal user information with portal server pts, and

· Set the synchronization probe interval to 600 seconds

· Specify the device to log off users if information of the users does not exist in the user synchronization packets sent from the server in two consecutive probe intervals.

<Sysname> system-view

[Sysname] portal server pts user-sync interval 600 retry 2

portal url-param include

Syntax

portal url-param include { nas-ip | nas-id | usermac [des-encrypt] | userurl } [ param-name param-name ]

undo portal url-param include { nas-ip | nas-id | usermac [des-encrypt] | userurl } [ param-name ]

View

System level

Default level

2: System level

Parameters

nas-ip: Carries the NAS IP parameter. If the source IP address of portal packets has been specified for the interface by using the portal nas-ip command, the source IP address is carried in the redirection URL. Otherwise, the IP address of the user access interface is carried in the redirection URL.

nas-id: Carries the NAS ID parameter.

user-mac: Carries the user MAC parameter. In the redirection URL, the MAC address is a hexadecimal string in the format XX-XX-XX-XX-XX-XX.

des-encrypt: Specifies DES to encrypt user MAC address in the redirection URL. If you do not specify this keyword, the redirection URL contains plaintext user MAC address.

user-url: Carries the user access URL. If you specify this keyword, the user is redirected to the specified user access URL after the user passes portal authentication. If you do not specify this keyword and the user passes portal authentication, the user is redirected to the URL that the user accessed before portal authentication.

param-name para-name: Specifies the included parameter name, a case-sensitive string of 1 to 20 characters, which contains only letters and digits. The included parameter and the specified parameter name is presented in the redirection URL in the format "para-name=param-value."

Description

Use portal url-param include to specify a parameter to be carried in the redirection URL and specify its name.

Use undo portal url include command to cancel the configuration.

By default, the redirection URL does not carry any parameter.

If you configure to carry the NAS ID parameter, the redirection URL obtains it in the following order:

1. Uses the NAS ID from the WLAN module.

2. Uses the NAS ID configured by using the nas-id-profile command in interface view, which is associated with the user VLAN.

3. Uses the NAS ID configured by using the nas-id command on the interface.

4. Uses the global NAS ID configured by using the portal nas-id command.

After the above obtain operations, if no NAS ID is found, the redirection URL does not carry the NAS ID.

Examples

# Configure carrying the NAS ID parameter in the redirection URL, with the parameter name as wlanasid.

<Sysname> system-view

[Sysname] portal url-param include nas-id param-name wlannasid

After the above configuration, if the NAS ID is test, the redirection URL the device sent to the client 10.1.2.34 is as follows:

http://www.portal.com?wlanacname=0002.0010.100.00&

wlanuserip=10.1.2.34&ssid=easy&wlannasid=test

portal web-proxy port

Syntax

portal web-proxy port port-number

undo portal web-proxy port { port-number | all }

View

System view

Default level

2: System level

Parameters

all: Specifies the TCP port numbers of all web proxy servers.

port-number: Specifies the TCP port number used by a web proxy server, in the range of 1 to 65535.

Description

Use portal web-proxy port to add a web proxy server port number so that HTTP requests forwarded by the web proxy server trigger portal authentication.

Use undo portal web-proxy port to delete one or all web proxy server port numbers.

By default, no web proxy server port number is configured on the device and proxied HTTP requests do not trigger portal authentication.

Up to four web proxy server port numbers can be added.

If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover web proxy servers, you need to add the port numbers of the web proxy servers on the device, and configure portal-free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication.

If the web proxy server port 80 is added on the device, clients that do not use a proxy server can trigger portal authentication only when they access a reachable host enabled with the HTTP service.

Authorized ACLs to be assigned to the users who have passed portal authentication must contain a rule that permits the web proxy server's IP address. Otherwise, the user cannot receive heartbeat packets from the remote portal server.

Examples

# Add web proxy server port number 8080 on the device, so that users using a web proxy server with the port number can be redirected to the portal authentication page.

<Sysname> system-view

[Sysname] portal web-proxy port 8080

portal wlan ssid

Syntax

portal wlan ssid ssid-name [ spot spot-name ] server server-name [ domain domain-name ]

undo portal wlan ssid ssid-name [ spot spot-name ]

View

System view

Default level

2: System level

Parameters

ssid ssid-name: Specifies an SSID for wireless user, a case-sensitive string of 1 to 32 characters.

spot spot-name: Specifies an AP name, a case-sensitive string of 1 to 63 characters.

server server-name: Specifies a portal server name, a case-sensitive string of 1 to 32 characters.

domain domain-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters.

Description

Use portal wlan ssid command to associate an SSID and AP name with a portal server and authentication domain. The wireless user using the specified SSID and AP uses the specified portal server for portal authentication and the AAA scheme of the specified authentication domain.

Use undo portal wlan ssid command to remove the association for the specified SSID and AP name.

By default, an SSID and AP name are not associated with any portal server or authentication domain.

To make the association effective, make sure the specified portal server and authentication domain already exist, and configure a portal-free rule so that the portal server can receive the packets from the device.

When a wireless user attempts to access external network, the device looks up the associations for the SSID and AP the user uses. If no match is found, the device uses the portal server specified on the user connected interface when portal authentication is enabled, and the authentication domain configured in system view.

The AP name configured on the AC must be consistent with the NAS ID or NAS port ID configured in AP template view or radio view. If you configure both NAS ID and NAS port ID, the AP name must be consistent with the NAS port ID.

Related command: portal server, portal free-rule, and domain; nas-id, nas-port-id, and service-template (see WLAN command reference).

Examples

# Associate SSID wlan1 and AP sp1 with portal server pt and authentication domain dm1.

[Sysname] portal wlan ssid wlan1 spot sp1 server pt domain dm1

reset portal connection statistics

Syntax

reset portal connection statistics { all | interface interface-type interface-number }

View

User view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

Description

Use reset portal connection statistics to clear portal connection statistics on a specific interface or all interfaces.

Examples

# Clear portal connection statistics on interface VLAN-interface 1.

<Sysname> reset portal connection statistics interface Vlan-interface1

reset portal server statistics

Syntax

reset portal server statistics { all | interface interface-type interface-number }

View

User view

Default level

1: Monitor level

Parameters

all: Specifies all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

Description

Use reset portal server statistics to clear portal server statistics on a specific interface or all interfaces.

Examples

# Clear portal server statistics on interface VLAN-interface 1.

<Sysname> reset portal server statistics interface Vlan-interface1

reset portal tcp-cheat statistics

Syntax

reset portal tcp-cheat statistics

View

User view

Default level

1: Monitor level

Parameters

None

Description

Use reset portal tcp-cheat statistics to clear TCP spoofing statistics.

Examples

# Clear TCP spoofing statistics.

<Sysname> reset portal tcp-cheat statistics

07-Security Command Reference

portal server method

portal url-param include

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us