Portal is supported only when the device operates in standard mode. For more information about the system operating modes, see device management in Fundamentals Configuration Guide.

Portal is supported only on CSPEX cards (excluding the CSPEX-1104-E card).

aging-time

Use aging-time to set the aging time for MAC-trigger entries.

Use undo aging-time to restore the default.

Syntax

aging-time seconds

undo aging-time

Default

The aging time for MAC-trigger entries is 300 seconds.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

seconds: Specifies the aging time for MAC-trigger entries. The value range is 60 to 7200 seconds.

Usage guidelines

With MAC-based quick portal authentication enabled, the device generates a MAC-trigger entry for a user when the device detects traffic from the user for the first time. The MAC-trigger entry records the following information:

· MAC address of the user.

· Interface index.

· VLAN ID.

· Traffic statistics.

· Aging timer.

When the aging time expires, the device deletes the MAC-trigger entry. The device re-creates a MAC-trigger entry for the user when it detects the user's traffic again.

Examples

# Specify the aging time as 300 seconds for MAC-trigger entries.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] aging-time 300

Related commands

display mac-trigger-server

authentication-timeout

Use authentication-timeout to specify the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving the MAC binding query response.

Use undo authentication-timeout to restore the default.

Syntax

authentication-timeout minutes

undo authentication-timeout

Default

The authentication timeout time is 3 minutes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

minutes: Specifies the authentication timeout in the range of 1 to 15 minutes.

Usage guidelines

Upon receiving the MAC binding query response of a user from the MAC binding server, the device starts an authentication timeout timer for the user. When the timer expires, the device deletes the MAC-trigger entry of the user.

Examples

# Specify the authentication timeout as 10 minutes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] authentication-timeout 10

Related commands

display mac-trigger-server

binding-retry

Use binding-retry to specify the maximum number of attempts and the interval for sending MAC binding queries to the MAC binding server.

Use undo binding-retry to restore the default.

Syntax

binding-retry { retries | interval interval } *

undo binding-retry

Default

The maximum number of query attempts is 3 and the query interval is 1 second.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of MAC binding query attempts, in the range of 1 to 10.

interval interval: Specifies the query interval in the range of 1 to 60 seconds.

Usage guidelines

If the device does not receive a response from the MAC binding server after the maximum number is reached, the device determines that the MAC binding server is unreachable. The device performs normal portal authentication for the user. The user needs to enter the username and password for authentication.

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Set the maximum number of MAC binding query attempts to 3 and the query interval to 60 seconds.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] binding-retry 3 interval 60

Related commands

display mac-trigger-server

captive-bypass enable

Use captive-bypass enable to enable the captive-bypass feature.

Use undo captive-bypass enable to disable the captive-bypass feature.

Syntax

captive-bypass [ optimize ]enable

undo captive-bypass [ optimize ] enable

Default

The captive-bypass feature is disabled.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

optimize: Enables the optimized captive-bypass feature.

Examples

# Enable the captive-bypass feature.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] captive-bypass enable

# Enable the optimized captive-bypass feature.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] captive-bypass ios optimize enable

Related commands

display portal web-server

default-logon-page

Use default-logon-page to specify the default authentication page file for the local portal Web service.

Use undo default-logon-page to restore the default.

Syntax

default-logon-page file-name

undo default-logon-page

Default

No default authentication page file is specified for the local portal Web service.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

file-name: Specifies the default authentication page file by the file name (without the file storage directory). The file name is a case-sensitive string of 1 to 91 characters. Valid characters are letters, digits, dots (.) and underscores (_).

Usage guidelines

You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages. The device then sets them as the default authentication pages for local portal authentication.

For successful local portal authentication, you must specify the default portal authentication page file for the local portal Web service.

Examples

# Specify the file pagefile1.zip as the default authentication page file for local portal authentication.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] default-logon-page pagefile1.zip

Related commands

portal local-web-server

display portal

Use display portal to display portal configuration and portal running state.

Syntax

display portal interface interface-type interface-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display portal configuration and portal running state on GigabitEthernet 3/1/1.

<Sysname> display portal interface gigabitethernet 3/1/1

Portal information of GigabitEthernet3/1/1

NAS-ID profile: aaa

Authorization : Strict checking

ACL : Enabled

User profile : Disabled

IPv4:

Portal status: Enabled

Portal authentication method: Layer3

Portal web server: wbs

Portal mac-trigger-server: mts

Authentication domain: my-domain

Pre-auth policy: abc

User-dhcp-only: Enabled

Pre-auth IP pool: ab

Max Portal users: Not configured

Bas-ip: Not configured

User detection: Type: ICMP Interval: 300s Attempts: 5 Idle time: 180s

Action for sever detection:

Server type Server name Action

Web server wbs fail-permit

Portal server pts fail-permit

Layer3 source network:

IP address Mask

1.1.1.1 255.255.0.0

IPv6:

Portal status: Disabled

Portal authentication method: Disabled

Portal web server: Not configured

Authentication domain: Not configured

Pre-auth policy: Not configured

User-dhcp-only: Disabled

Pre-auth IP pool: Not configured

Max Portal users: Not configured

Bas-ipv6: Not configured

User detection: Not configured

Action for sever detection:

Server type Server name Action

-- -- --

Layer3 source network:

IP address Prefix length

Table 1 Command output

Field	Description
Portal information of interface	Portal configuration on the interface.
NAS-ID profile	NAS-ID profile on the interface.
Authorization	Authorization information type: · ACL. · User profile.
Strict checking	Whether strict checking is enabled on portal authorization information.
IPv4	IPv4 portal configuration.
IPv6	IPv6 portal configuration.
Portal status	Portal authentication status on the interface: · Disabled—Portal authentication is disabled. · Enabled—Portal authentication is enabled. · Authorized—The portal authentication server or portal Web server is unreachable. The interface allows users to have network access without authentication.
Portal authentication method	Authentication mode enabled on the interface: · Direct—Direct authentication. · Redhcp—Re-DHCP authentication. · Layer3—Cross-subnet authentication.
Portal Web server	Name of the portal Web server specified on the interface.
Portal mac-trigger-server	Name of the MAC binding server specified on the interface.
Authentication domain	Mandatory authentication domain on the interface.
Pre-auth policy	Portal preauthentication policy for preauthentication portal users on the interface.
User-dhcp-only	Status of the user-dhcp-only feature: · Enabled—Only users with IP addresses obtained through DHCP can perform portal authentication. · Disabled—Both users with IP addresses obtained through DHCP and users with static IP addresses can pass authentication to get online.
Pre-auth ip-pool	Name of the IP address pool specified for portal users before authentication.
Max Portal users	Maximum number of portal users allowed on an interface.
Bas-ip	BAS-IP attribute of the portal packets sent to the portal authentication server.
Bas-ipv6	‌ BAS-IPv6 attribute of the portal packets sent to the portal authentication server.
User detection	Configuration for online detection of portal users on the interface, including detection method (ARP, ICMPv6, ND or ICMP), detection interval, maximum number of detection attempts, and user idle time.
Action for server detection	Portal server detection configuration on the interface: · Server type—Type of the server. Portal server represents the portal authentication server, and Web server represents the portal Web server. · Server name—Name of the server. · Action—Action triggered by the result of server detection. This field displays fail-permit when the portal fail-permit feature is enabled.
Layer3 source network	Information of the portal authentication source subnet.
IP address	IP address of the portal authentication subnet.
Mask	Subnet mask of the portal authentication subnet.
Prefix length	‌ Prefix length of the IPv6 portal authentication subnet address.

Related commands

portal domain

portal enable

portal ipv6 layer3 source

portal layer3 source

portal web-server

display portal http-defense attacked-ip

Use display portal http-defense attacked-ip to display statistics for attacked destination IP addresses in portal HTTP and HTTPS attack defense.

Syntax

In standalone mode:

display portal http-defense attacked-ip [ slot slot-number ]

In IRF mode:

display portal http-defense attacked-ip [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays attacked destination IP address statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays attacked destination IP address statistics for all cards. (In IRF mode.)

Usage guidelines

The device records an attack for a destination IP address each time the IP address is blocked by portal HTTP and HTTPS attack defense. This command can display a maximum of 512 attacked destination IP addresses. When this maximum number is reached, a new attacked destination IP address record replaces the oldest one.

Examples

# Display statistics for attacked destination IP addresses in portal HTTP and HTTPS attack defense.

<Sysname> display portal http-defense attacked-ip

slot 3:

Dest IP Attacks First attack Last attack

1.1.1.2 1 17:12:34 11/23/2016 17:12:34 11/23/2016

2.2.2.2 2 17:12:34 11/23/2016 17:13:25 11/23/2016

Table 2 Command output

Field	Description
Dest IP	Attacked destination IP address.
Attacks	Number of times that the destination IP address were attacked.
First attack	Time when the first attack occurred.
Last attack	Time when the last attack occurred.

Related commands

reset portal http-defense attacked-ip

display portal http-defense blocked-ip

Use display portal http-defense blocked-ip to display statistics for blocked destination IP addresses in portal HTTP and HTTPS attack defense.

Syntax

In standalone mode:

display portal http-defense blocked-ip [ slot slot-number ]

In IRF mode:

display portal http-defense blocked-ip [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays blocked destination IP address statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays blocked destination IP address statistics for all cards. (In IRF mode.)

Usage guidelines

Blocked destination IP addresses refer to destination IP addresses that are being blocked in HTTP and HTTPS attack defense.

Examples

# Display statistics for blocked destination IP addresses in portal HTTP and HTTPS attack defense.

<Sysname> display portal http-defense blocked-ip

slot 3:

Destination IP address Defense status on driver

1.1.1.2 Succeed

2.2.2.2 Failed

Table 3 Command output

Field	Description
Destination IP address	List of blocked destination IP addresses in portal HTTP and HTTPS attack defense.
Defense status on driver	Whether the blocked destination IP address has been issued to the driver: · Succeed. · Failed.

Field

Description

Destination IP address

List of blocked destination IP addresses in portal HTTP and HTTPS attack defense.

Defense status on driver

Whether the blocked destination IP address has been issued to the driver:

· Succeed.

· Failed.

Related commands

reset portal http-defense blocked-ip

display portal http-defense ip-count

Use display portal http-defense ip-count to display the counts of destination IP addresses in portal HTTP and HTTPS attack defense.

Syntax

In standalone mode:

display portal http-defense ip-count [ slot slot-number ]

In IRF mode:

display portal http-defense ip-count [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays the counts of destination IP addresses for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays the counts of destination IP addresses for all cards. (In IRF mode.)

Examples

# Display the counts of destination IP addresses in portal HTTP and HTTPS attack defense.

<Sysname> display portal http-defense ip-count

slot 3:

Blocked IP: 10

Attacked IP: 20

Monitored IP: 10

Table 4 Command output

Field	Description
Blocked IP	Number of blocked destination IP addresses in portal HTTP and HTTPS attack defense.
Attacked IP	Number of attacked destination IP addresses in portal HTTP and HTTPS attack defense.
Monitored IP	Number of monitored destination IP addresses in portal HTTP and HTTPS attack defense.

display portal http-defense monitored-ip

Use display portal http-defense monitored-ip to display statistics for monitored destination IP addresses in portal HTTP and HTTPS attack defense.

Syntax

In standalone mode:

display portal http-defense monitored-ip [ slot slot-number ]

In IRF mode:

display portal http-defense monitored-ip [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays monitored destination IP address statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays monitored destination IP address statistics for all cards. (In IRF mode.)

Usage guidelines

Monitored destination IP addresses are destination IP addresses that are under monitoring of HTTP and HTTPS attack defense but do not meet the blocking criteria. The maximum number of monitored destination IP addresses is limited by the portal http-defense max-ip-number command.

Examples

# Display statistics for monitored destination IP addresses in portal HTTP and HTTPS attack defense.

<Sysname> display portal http-defense monitored-ip

slot 3:

IP Address Packet Statistics

1.1.1.2 30

1.1.1.3 100

1.1.1.4 50

Table 5 Command output

Field	Description
IP Address	Destination IP address monitored by portal HTTP and HTTPS attack defense.
Packet Statistics	Number of packets destined for the IP address.

Related commands

display portal http-defense blocked-ip

display portal ip-subscriber message statistics

Use display portal ip-subscriber message statistics to display statistics for messages exchanged between portal and IPoE during IPoE Web authentication.

Syntax

display portal ip-subscriber message statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display statistics for messages exchanged between portal and IPoE.

<Sysname> display portal ip-subscriber message statistics

Message Total Error Duplicate

Sent logon request 0 0 0

Received logon success 0 0 0

Received logon failure 0 0 0

Received EAP authentication continue 0 0 0

Sent logoff request 0 0 0

Received logoff response 0 0 0

Received forced logoff request 0 0 0

Sent smooth user start 0 0 0

Sent smooth user end 0 0 0

Sent smooth user message 0 0 0

Sent mac-trigger enable 0 0 0

Sent mac-trigger disable 0 0 0

Received binding request 0 0 0

Sent binding response 0 0 0

Sent nobinding response 0 0 0

Sent processing bind response 0 0 0

Sent delete mac-trigger entry 0 0 0

Received mac-trigger user online 0 0 0

Received mac-trigger user offline 0 0 0

Table 6 Command output

Field	Description
Total	Total number of messages.
Error	Number of error messages.
Duplicate	Number of duplicated messages.
Sent logon request	Number of sent requests for users to come online.
Received logon success	Number of received messages indicating that users came online successfully.
Received logon failure	Number of received messages indicating that users failed to come online.
Received EAP authentication continue	Number of received EAP authentication continue messages.
Sent logoff request	Number of sent requests for users to go offline.
Received logoff response	Number of received responses for users to go offline.
Received forced logoff request	Number of received requests to forcibly log out users.
Sent smooth user start	Number of sent messages indicating that portal started smoothing user information.
Sent smooth user end	Number of sent messages indicating that portal ended smoothing user information.
Sent smooth user message	Number of sent messages for smoothing user information.
Sent mac-trigger enable	Number of sent messages indicating that portal applied a MAC binding server to an interface.
Sent mac-trigger disable	Number of sent messages indicating that portal removed a MAC binding server from an interface.
Received binding request	Number of received binding queries.
Sent binding response	Number of sent responses indicating that user accounts are bound to user MAC addresses.
Sent nobinding response	Number of sent responses indicating that user accounts are not bound to user MAC addresses.
Sent processing bind response	Number of sent responses indicating that portal was processing the binding query request.
Sent delete mac-trigger entry	Number of sent messages indicating that the device deleted MAC-trigger entries.
Received mac-trigger user online	Number of received messages indicating that MAC-trigger users came online.
Received mac-trigger user offline	Number of received messages indicating that MAC-trigger users went offline.

Related commands

reset portal ip-subscriber message statistics

display portal mac-trigger entry

Use display portal mac-trigger entry to display MAC-trigger entries for portal users.

Syntax

display portal mac-trigger entry [ ip ipv4-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ipv4-address: Specifies a portal user by its IP address. If you do not specify a portal user, this command displays MAC-trigger entries for all portal users.

Examples

# Display MAC-trigger entries for all portal users.

<Sysname> display portal mac-trigger entry

IP MAC ADDR L3IF L2IF SVLAN CVLAN Status Source

2.2.2.2 0001-0001-0001 vlan2 GE3/1/2 2 -- Bound Portal

Table 7 Command output

Field	Description
IP	IP address of the user.
MAC ADDR	MAC address of the user.
L3IF	Layer 3 access interface.
L2IF	Layer 2 access interface. This field displays two hyphens (--) if the access interface of the user is a physical Layer 3 interface.
SVLAN	Outer VLAN ID of portal packets from the user.
CVLAN	Inner VLAN ID of portal packets from the user. This field displays two hyphens (--) if portal packets from the user are not double-tagged packets.
Status	Binding status between the MAC address and the user account: · Auth-free—The user with the MAC address can access the network without authentication. · Querying—The binding status of the MAC address is being queried. · Not bound—The MAC address is not bound with the user account. · Bound—The MAC address is bound with the user account. · Deleting—The MAC-trigger entry for the MAC address is being deleted.
Source	Access method of the user: · Portal. · IPoE.

display portal mac-trigger-server

Use display portal mac-trigger-server to display information about MAC binding servers.

Syntax

display portal mac-trigger-server { all | name server-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all MAC binding servers.

name server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Examples

# Display information about all MAC binding servers.

<Sysname> display portal mac-trigger-server all

Portal mac trigger server name: ms1

Version : 2.0

Server type : CMCC

IP : 10.1.1.1

Port : 100

VPN instance : Not configured

Aging time : 120 seconds

Free-traffic threshold : 1000 bytes

NAS-Port-Type : 255

Binding retry times : 5

Binding retry interval : 2 seconds

Authentication timeout : 5 minutes

Portal mac trigger server name: mts

Version : 1.0

Server type : IMC

IP : 4.4.4.2

Port : 50100

VPN instance : Not configured

Aging time : 300 seconds

Free-traffic threshold : 0 bytes

NAS-Port-Type : Not configured

Binding retry times : 3

Binding retry interval : 1 seconds

Authentication timeout : 3 minutes

# Display information about the MAC binding server ms1.

<Sysname> display portal mac-trigger-server name ms1

Portal mac trigger server name: ms1

Version : 2.0

Server type : CMCC

IP : 10.1.1.1

Port : 100

VPN instance : Not configured

Aging time : 120 seconds

Free-traffic threshold : 1000 bytes

NAS-Port-Type : 255

Binding retry times : 5

Binding retry interval : 2 seconds

Authentication timeout : 5 minutes

Table 8 Command output

Field	Description
Portal mac trigger server name	Name of the MAC binding server.
Version	Version of the portal protocol: · 1.0—Version 1. · 2.0—Version 2. · 3.0—Version 3.
Server type	Type of the MAC binding server: · CMCC—CMCC server. · IMC—H3C IMC server or H3C CAMS server.
IP	IP address of the MAC binding server.
Port	UDP port number on which the MAC binding server listens for MAC binding query packets.
VPN instance	MPLS L3VPN instance where the MAC binding server resides.
Aging time	Aging time in seconds. A MAC-trigger entry is aged out when the aging time expires.
Free-traffic threshold	Free-traffic threshold in bytes. If a user's traffic is below the threshold, the user can access the network without authentication.
NAS-Port-Type	NAS-Port-Type attribute value in RADIUS request packets sent to the RADIUS server.
Binding retry times	Maximum number of attempts for sending MAC binding queries to the MAC binding server.
Binding retry interval	Interval at which the device sends MAC binding queries to the MAC binding server.
Authentication timeout	Maximum amount of time that the device waits for portal authentication to complete after receiving the MAC binding query response.

display portal mac-trigger-server packet statistics

Use display portal mac-trigger-server packet statistics to display statistics for messages exchanged between the device and MAC binding servers.

Syntax

display portal mac-trigger-server packet statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display statistics for messages exchanged between the device and MAC binding servers.

<Sysname> display portal mac-trigger-server packet statistics

Packets sent:

User online notifications: 0

User offline notifications: 0

MAC binding queries: 0

Retries: 0

MaxRetryCount reached: 0

Sending failures: 0

Packets received:

MAC binding responses: 0

Binding: 0

Nobinding: 0

Checksum failures: 0

Table 9 Command output

Field	Description
Packets sent	Number of messages that the device sent to MAC binding servers.
User online notifications	Number of notification messages indicating that users came online.
User offline notifications	Number of notification messages indicating that users went offline.
MAC binding queries	Number of MAC binding queries sent to MAC binding servers.
Retries	Number of times that the device attempted to retransmit MAC binding queries.
MaxRetryCount reached	Number of times that the maximum number of retransmissions was reached.
Sending failures	Number of transmission failures.
Packets received	Number of messages that the device received from MAC binding servers.
MAC binding responses	Number of MAC binding responses received from MAC binding servers.
Binding	Number of MAC binding responses indicating that user MAC addresses are bound to the user accounts.
Nobinding	Number of MAC binding responses indicating that user MAC addresses are not bound to user accounts.
Checksum failures	Number of MAC binding responses with checksum failures.

Related commands

display portal packet statistics

reset portal mac-trigger-server packet statistics

display portal packet statistics

Use display portal packet statistics to display packet statistics for portal authentication servers.

Syntax

display portal packet statistics [ server server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

This command displays statistics on packets the device sent to and received from portal authentication servers.

If you do not specify the server server-name option, this command displays packet statistics for all portal authentication servers.

Examples

# Display packet statistics for the portal authentication server pts.

<Sysname> display portal packet statistics server pts

Portal server : pts

Invalid packets: 0

Pkt-Type Total Drops Errors

REQ_CHALLENGE 3 0 0

ACK_CHALLENGE 3 0 0

REQ_AUTH 3 0 0

ACK_AUTH 3 0 0

REQ_LOGOUT 1 0 0

ACK_LOGOUT 1 0 0

AFF_ACK_AUTH 3 0 0

NTF_LOGOUT 1 0 0

REQ_INFO 6 0 0

ACK_INFO 6 0 0

NTF_USERDISCOVER 0 0 0

NTF_USERIPCHANGE 0 0 0

AFF_NTF_USERIPCHAN 0 0 0

ACK_NTF_LOGOUT 1 0 0

NTF_HEARTBEAT 0 0 0

NTF_USER_HEARTBEAT 2 0 0

ACK_NTF_USER_HEARTBEAT 0 0 0

NTF_CHALLENGE 0 0 0

NTF_USER_NOTIFY 0 0 0

AFF_NTF_USER_NOTIFY 0 0 0

Table 10 Command output

Field	Description
Portal server	Name of the portal authentication server.
Invalid packets	Number of invalid packets.
Pkt-Type	Packet type.
Total	Total number of packets.
Drops	Number of dropped packets.
Errors	Number of packets that carry error information.
REQ_CHALLENGE	Challenge request packet the portal authentication server sent to the access device.
ACK_CHALLENGE	Challenge acknowledgment packet the access device sent to the portal authentication server.
REQ_AUTH	Authentication request packet the portal authentication server sent to the access device.
ACK_AUTH	Authentication acknowledgment packet the access device sent to the portal authentication server.
REQ_LOGOUT	Logout request packet the portal authentication server sent to the access device.
ACK_LOGOUT	Logout acknowledgment packet the access device sent to the portal authentication server.
AFF_ACK_AUTH	Affirmation packet the portal authentication server sent to the access device after receiving an authentication acknowledgment packet.
NTF_LOGOUT	Forced logout notification packet the access device sent to the portal authentication server.
REQ_INFO	Information request packet.
ACK_INFO	Information acknowledgment packet.
NTF_USERDISCOVER	User discovery notification packet the portal authentication server sent to the access device.
NTF_USERIPCHANGE	User IP change notification packet the access device sent to the portal authentication server.
AFF_NTF_USERIPCHAN	User IP change success notification packet the portal authentication server sent to the access device.
ACK_NTF_LOGOUT	Forced logout acknowledgment packet the portal authentication server sent to the access device.
NTF_HEARTBEAT	Server heartbeat packet the portal authentication server periodically sent to the access device.
NTF_USER_HEARTBEAT	User synchronization packet the portal authentication server sent to the access device.
ACK_NTF_USER_HEARTBEAT	User synchronization acknowledgment packet the access device sent to the portal authentication server.
NTF_CHALLENGE	Challenge request packet the access device sent to the portal authentication server.
NTF_USER_NOTIFY	User information notification packet the access device sent to the portal authentication server.
AFF_NTF_USER_NOTIFY	NTF_USER_NOTIFY acknowledgment packet the portal authentication server sent to the access device.

Related commands

reset portal packet statistics

display portal rule

Use display portal rule to display portal filtering rules.

Syntax

In standalone mode:

display portal rule { all | dynamic | static } interface interface-type interface-number [ slot slot-number ]

In IRF mode:

display portal rule { all | dynamic | static } interface interface-type interface-number [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all portal filtering rules, including dynamic and static portal filtering rules.

dynamic: Displays dynamic portal filtering rules, which are generated after users pass portal authentication. These rules allow packets with specific source IP addresses to pass the interface.

static: Displays static portal filtering rules, which are generated after portal authentication is enabled. The interface filters packets by these rules when portal authentication is enabled.

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays portal filtering rules for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays portal filtering rules for all cards. (In IRF mode.)

Examples

# Display all portal filtering rules on GigabitEthernet 3/1/1 for the specified slot.

<Sysname> display portal rule all interface gigabitethernet 3/1/1 slot 3

slot 3:

IPv4 portal rules on GigabitEthernet3/1/1:

Rule 1:

Type : Static

Action : Permit

Protocol : Any

Status : Active

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : Any

MAC : 0000-0000-0000

Interface : GigabitEthernet3/1/1

VLAN : Any

Destination:

IP : 192.168.0.111

Mask : 255.255.255.255

Port : Any

Rule 2:

Type : Dynamic

Action : Permit

Status : Active

Source:

IP : 2.2.2.2

MAC : 000d-88f8-0eab

Interface : GigabitEthernet3/1/1

VLAN : Any

Author ACL:

Number : 3001

Rule 3:

Type : Static

Action : Redirect

Status : Active

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

Interface : GigabitEthernet3/1/1

VLAN : Any

Protocol : TCP

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

Port : 80

Rule 4:

Type : Static

Action : Deny

Status : Active

Source:

IP : 0.0.0.0

Mask : 0.0.0.0

Interface : GigabitEthernet3/1/1

VLAN : Any

Destination:

IP : 0.0.0.0

Mask : 0.0.0.0

IPv6 portal rules on GigabitEthernet3/1/1:

Rule 1:

Type : Static

Action : Permit

Protocol : Any

Status : Active

Source:

IP : ::

Prefix length : 0

Port : Any

MAC : 0000-0000-0000

Interface : GigabitEthernet3/1/1

VLAN : Any

Destination:

IP : 3000::1

Prefix length : 64

Port : Any

Rule 2:

Type : Dynamic

Action : Permit

Status : Active

Source:

IP : 3000::1

MAC : 0015-e9a6-7cfe

Interface : GigabitEthernet3/1/1

VLAN : Any

Author ACL:

Number : 3001

Rule 3:

Type : Static

Action : Redirect

Status : Active

Source:

IP : ::

Prefix length : 0

Interface : GigabitEthernet3/1/1

VLAN : Any

Protocol : TCP

Destination:

IP : ::

Prefix length : 0

Port : 80

Rule 4:

Type : Static

Action : Deny

Status : Active

Source:

IP : ::

Prefix length : 0

Interface : GigabitEthernet3/1/1

VLAN : Any

Destination:

IP : ::

Prefix length : 0

Rule 5:

Type : Static

Action : Match pre-auth ACL

Status : Active

Source:

Interface : GigabitEthernet3/1/1

Pre-auth ACL:

Number : 3002

Table 11 Command output

Field	Description
Rule	Number of the portal filtering rule. IPv4 portal filtering rules and IPv6 portal filtering rules are numbered separately.
Type	Type of the portal filtering rule: · Static—Static portal filtering rule. · Dynamic—Dynamic portal filtering rule.
Action	Action triggered by the portal filtering rule: · Permit—The interface allows packets to pass. · Redirect—The interface redirects packets. · Deny—The interface forbids packets to pass. · Match pre-auth ACL—The interface matches packets by the authorized ACL rules in the portal preauthentication policy.
Protocol	Transport layer protocol permitted by the portal-free rule: · Any—Permits any transport layer protocol. · TCP—Permits TCP. · UDP—Permits UDP.
Status	Status of the portal filtering rule: · Active—The portal filtering rule is effective. · Unactuated—The portal filtering rule is not activated. If the portal filtering rule has not been deployed, this field displays N/A.
Source	Source information of the portal filtering rule.
IP	Source IP address.
Mask	Subnet mask of the source IPv4 address.
Prefix length	Prefix length of the source IPv6 address.
Port	Source transport layer port number.
MAC	Source MAC address.
Interface	Layer 2 or Layer 3 interface on which the portal filtering rule is implemented.
VLAN	Source VLAN ID.
Protocol	Transport layer protocol. This field can only be TCP for a portal redirect rule.
Destination	Destination information of the portal filtering rule.
IP	Destination IP address.
Port	Destination transport layer port number.
Mask	Subnet mask of the destination IPv4 address.
Prefix length	Prefix length of the destination IPv6 address.
Author ACL	Authorized ACL assigned to authenticated portal users. This field is displayed only for a dynamic portal filtering rule.
Pre-auth ACL	Authorized ACL assigned to preauthentication portal users. This field is displayed only for the Match pre-auth ACL action.
Number	Number of the authorized ACL. This field displays N/A if the AAA server does not assign an ACL.

display portal server

Use display portal server to display information about portal authentication servers.

Syntax

display portal server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify the server-name argument, this command displays information about all portal authentication servers.

Examples

# Display information about the portal authentication server pts.

<Sysname> display portal server pts

Portal server: pts

Type : IMC

IP : 192.168.0.111

VPN instance : Not configured

Port : 50100

Server detection : Timeout 60s Action: log

User synchronization : Timeout 200s

Status : Up

Exclude-attribute : Not configured

Logout notification : Retry 3 interval 5s

Table 12 Command output

Field	Description
Type	Portal authentication server type: · CMCC—CMCC server. · IMC—IMC server.
Portal server	Name of the portal authentication server.
IP	IP address of the portal authentication server.
VPN instance	MPLS L3VPN instance where the portal authentication server resides.
Port	Listening port on the portal authentication server.
Server detection	Parameters for portal authentication server detection: · Detection timeout in seconds. · Action (log) triggered by the reachability status change of the portal authentication server.
User synchronization	User idle timeout in seconds for portal user synchronization.
Status	Reachability status of the portal authentication server: · Up—This value indicates one of the following conditions: ¡ Portal authentication server detection is disabled. ¡ Portal authentication server detection is enabled and the server is reachable. · Down—Portal authentication server detection is enabled and the server is unreachable.
Exclude-attribute	Attribute fields not carried in portal protocol packets.
Logout notification	Maximum number of times and the interval (in seconds) for retransmitting a logout notification packet.

Related commands

portal enable

portal server

server-detect (portal authentication server view)

user-sync

display portal user

Use display portal user to display information about portal users.

Syntax

display portal user { all | interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address | pre-auth [ interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address ] } [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays information about all portal users.

interface interface-type interface-number: Displays information about portal users on the specified interface.

ip ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

pre-auth: Displays information about preauthentication portal users. A preauthentication portal user is a user who is authorized with the user attributes in a portal preauthentication policy before portal authentication. If you do not specify the pre-auth keyword, this command displays information about authenticated portal users.

verbose: Displays detailed information about portal users.

Examples

# Display information about all portal users.

<Sysname> display portal user all

Total portal users: 2

Username: abc

Portal server: pts

State: Online

VPN instance: N/A

MAC IP VLAN Interface

000d-88f8-0eab 2.2.2.2 -- GigabitEthernet3/1/1

Authorization information:

DHCP IP pool: N/A

User profile: abc (active)

Session group profile: cd (inactive)

ACL number: N/A

Inbound CAR: N/A

Outbound CAR: N/A

Inbound priority: N/A

Outbound priority: N/A

Username: def

Portal server: pts

State: Online

VPN instance: N/A

MAC IP VLAN Interface

000d-88f8-0eac 3.3.3.3 -- GigabitEthernet3/1/2

Authorization information:

DHCP IP pool: N/A

User profile: N/A

Session group profile: N/A

ACL number: 3000 (inactive)

Inbound CAR: CIR 3 kbps PIR 3 kbps

CBS N/A (inactive)

Outbound CAR: CIR 3 kbps PIR 3 kbps

CBS N/A (inactive)

Inbound priority: 7 (active)

Outbound priority: 0 (active)

Table 13 Command output

Field	Description
Total portal users	Total number of portal users.
Username	Name of the user.
Portal server	Name of the portal authentication server.
State	Current state of the portal user: · Initialized—The user is initialized and ready for authentication. · Authenticating—The user is being authenticated. · Authorizing—The user is being authorized. · Online—The user is online.
VPN instance	MPLS L3VPN instance to which the portal user belongs. If the portal user is on a public network, this field displays N/A.
MAC	MAC address of the portal user.
IP	IP address of the portal user.
VLAN	VLAN where the portal user resides.
Interface	Access interface of the portal user.
Authorization information	Authorization information for the portal user.
DHCP IP pool	This field is not supported in the current software version. Name of the authorized IP address pool. If no IP address pool is authorized for the portal user, this field displays N/A.
User profile	Authorized user profile: · N/A—No user profile is authorized. · active—The authorized user profile is applied to the user access interface successfully. · inactive—The authorized user profile is not applied to the user access interface or the user profile does not exist on the device.
Session group profile	This field is not supported in the current software version. Authorized session group profile: · N/A—No session group profile is authorized. · active—The authorized session group profile is applied to the user access interface successfully. · inactive—The authorized session group profile is not applied to the user access interface or the session group profile does not exist on the device.
ACL number	Authorized ACL: · N/A—No ACL is authorized. · active—The authorized ACL is applied to the user access interface successfully. · inactive—The authorized ACL is not applied to the user access interface or the ACL does not exist on the device.
Inbound CAR	Authorized inbound CAR: · CIR—Committed information rate in kbps. · PIR—Peak information rate in kbps. · CBS—Committed burst size in bytes. · active—The authorized inbound CAR is applied to the user access interface successfully. · inactive—The authorized inbound CAR is not applied to the user access interface. · N/A—No inbound CAR is authorized.
Outbound CAR	Authorized outbound CAR: · CIR—Committed information rate in kbps. · PIR—Peak information rate in kbps. · CBS—Committed burst size in bytes. · active—The authorized outbound CAR is applied to the user access interface successfully. · inactive—The authorized outbound CAR is not applied to the user access interface. · N/A—No outbound CAR is authorized.
Inbound priority	Authorized inbound priority: · active—The authorized inbound priority is applied to the user access interface successfully. · inactive—The authorized inbound priority is not applied to the user access interface. · N/A—No inbound priority is authorized.
Outbound priority	Authorized outbound priority: · active—The authorized outbound priority is applied to the user access interface successfully. · inactive—The authorized outbound priority is not applied to the user access interface. · N/A—No outbound priority is authorized.

# Display detailed information about the portal user with IP address 50.50.50.3.

<Sysname> display portal user ip 50.50.50.3 verbose

Basic:

Current IP address: 50.50.50.3

Original IP address: 30.30.30.2

Username: user1@hrss

User ID: 0x18000002

Acct-Session-ID: 678900123456790123456788901234534578901266789001234567890

Access interface: GigabitEthernet3/1/1

Service-VLAN/Customer-VLAN: -/-

MAC address: 0000-0000-0001

Domain name: hrss

VPN instance: N/A

Status: Online

Portal server: test

Portal authentication method: Direct

AAA:

Realtime accounting interval: 60s, retry times: 3

Idle cut: 180 sec, 10240 bytes, direction: Inbound

Session duration: 500 sec, remaining: 300 sec

Remaining traffic: 10240000 bytes

Online time: 01:28:16

Accounting-start fail action: Online

Accounting-update fail action: Online

Accounting quota-out action: Offline

ITA policy name: test

DHCP IP pool: N/A

ACL&QoS&Multicast:

Inbound CAR: CIR 64kbps PIR 640kbps

CBS N/A (active)

Outbound CAR: CIR 64kbps PIR 640kbps

CBS N/A (active)

Inbound priority: 7 (active)

Outbound priority: 0 (active)

ACL number:3000 (inactive)

User profile: portal (active)

Session group profile: N/A

Max multicast addresses: 4

Multicast address list: 1.2.3.1, 1.34.33.1, 3.123.123.3, 4.5.6.7

2.2.2.2, 3.3.3.3, 4.4.4.4

User group: 1 (Id=1)

Flow statistic:

Uplink packets/bytes: 7/546

Downlink packets/bytes: 0/0

ITA:

Accounting merge: Disabled

Traffic separate: Disabled

Quota-out offline: Enabled

level-1 Session duration: N/A, remaining: N/A

Remaining traffic: N/A

Traffic action: Permit

Inbound CAR: CIR: 1000 kbps, PIR: 1000 kbps

Outbound CAR: CIR: 1000 kbps, PIR: 1000 kbps

Uplink packets/bytes: 0/0

Downlink packets/bytes: 0/0

level-2 Session duration: N/A, remaining: N/A

Remaining traffic: N/A

Traffic action: Permit

Inbound CAR: CIR: 2000 kbps, PIR: 2000 kbps

Outbound CAR: CIR: 2000 kbps, PIR: 2000 kbps

Uplink packets/bytes: 0/0

Downlink packets/bytes: 0/0

Table 14 Command output

Field	Description
Current IP address	IP address of the portal user after passing authentication.
Original IP address	IP address of the portal user during authentication.
Username	Name of the portal user.
User ID	Portal user ID.
Acct-Session-ID	Accounting session ID of the portal user.
Access interface	Access interface of the portal user.
Service-VLAN/Customer-VLAN	Public VLAN/Private VLAN to which the portal user belongs. If no VLAN is configured for the portal user, this field displays -/-.
MAC address	MAC address of the portal user.
Domain name	ISP domain name for portal authentication.
VPN instance	MPLS L3VPN instance to which the portal user belongs. If the portal user is on a public network, this field displays N/A.
Status	Status of the portal user: · Authenticating—The user is being authenticated. · Authorizing—The user is being authorized. · Waiting SetRule—Deploying portal filtering rules to the user. · Online—The user is online. · Waiting Traffic—Waiting for traffic from the user. · Stop Accounting—Stopping accounting for the user. · Done—The user is offline.
Portal server	Name of the portal server.
Portal authentication method	Portal authentication method on the access interface: · Direct—Direct authentication. · Re-Dhcp—Re-DHCP authentication. · Layer3—Cross-subnet authentication.
AAA	AAA information about the portal user.
Realtime accounting interval	Interval for sending real-time accounting updates, and the maximum number of accounting attempts. If the real-time accounting is not authorized, this field displays N/A.
Idle cut	Idle timeout period and the minimum traffic threshold. If idle cut is not authorized, this field displays N/A.
direction	Direction of user traffic: · Both—Inbound and outbound traffic. · Inbound—Inbound traffic. · Outbound—Outbound traffic.
Session duration	Session duration and the remaining session time. If the session duration is not authorized, this field displays N/A.
Remaining traffic	Remaining traffic for the portal user. If the remaining traffic is not authorized, this field displays N/A.
Login time	Time when the user logged in. The field uses the device time format, for example, 2023-1-19 2:42:30 UTC.
Online time	Duration that the user has been online, in the format of hh:mm:ss.
Accounting-start fail action	Access control for the user when the user encounters accounting-start failures: · Online—Allows the user to stay online. · Offline—Logs off the user.
Accounting-update fail action	Access control for the user when the user encounters accounting-update failures: · Online—Allows the users to stay online. · Offline—Logs off the user.
Accounting quota-out action	Access control for the user when the user has used up the accounting quota: · Online—Allows the user to stay online. · Offline—Logs off the user.
ITA policy name	Name of the intelligent target accounting policy.
DHCP IP pool	This field is not supported in the current software version. Authorized DHCP IP address pool. If no DHCP IP address pool is authorized for the portal user, this field displays N/A.
Inbound CAR	Authorized inbound CAR: · CIR—Committed information rate in kbps. · PIR—Peak information rate in kbps. · CBS—Committed burst size in bytes. · active—The authorized inbound CAR is applied to the user access interface successfully. · inactive—The authorized inbound CAR is not applied to the user access interface. · N/A—No inbound CAR is authorized.
Outbound CAR	Authorized outbound CAR: · CIR—Committed information rate in kbps. · PIR—Peak information rate in kbps. · CBS—Committed burst size in bytes. · active—The authorized outbound CAR is applied to the user access interface successfully. · inactive—The authorized outbound CAR is not applied to the user access interface. · N/A—No outbound CAR is authorized.
Inbound priority	Authorized inbound priority: · active—The authorized inbound priority is applied to the user access interface successfully. · inactive—The authorized inbound priority is not applied to the user access interface. · N/A—No inbound priority is authorized.
Outbound priority	Authorized outbound priority: · active—The authorized outbound priority is applied to the user access interface successfully. · inactive—The authorized outbound priority is not applied to the user access interface. · N/A—No outbound priority is authorized.
ACL number	Authorized ACL: · N/A—No ACL is authorized. · active—The authorized ACL is applied to the user access interface successfully. · inactive—The authorized ACL is not applied to the user access interface or the ACL does not exist on the device.
User profile	Authorized user profile: · N/A—No user profile is authorized. · active—The authorized user profile is applied to the user access interface successfully. · inactive—The authorized user profile is not applied to the user access interface or the user profile does not exist on the device.
Session group profile	This field is not supported in the current software version. Authorized session group profile: · N/A—No session group profile is authorized. · active—The authorized session group profile is applied to the user access interface successfully. · inactive—The authorized session group profile is not applied to the user access interface or the session group profile does not exist on the device.
Max multicast addresses	Maximum number of multicast groups the portal user can join.
Multicast address list	Multicast group list the portal user can join. If no multicast group is authorized, this field displays N/A.
User group	User group to which the portal user belongs.
Flow statistic	Flow statistics for the portal user.
Uplink packets/bytes	Packet and byte statistics of the upstream traffic.
Downlink packets/bytes	Packet and byte statistics of the downstream traffic.
ITA	ITA traffic statistics for the portal user.
Accounting merge	Status of the accounting merge feature: · Enabled—The accounting merge feature is enabled. The device merges the ITA traffic of all accounting rates in the ITA policy, and applies the lowest rate to the merged traffic. · Disabled—The accounting merge feature is disabled. The device sends separate traffic statistics for each accounting rate to the server.
Traffic separate	Whether to exclude the amount of ITA traffic from the overall traffic statistics sent to the accounting server: · Enabled—ITA traffic is excluded from the overall traffic statistics. · Disabled—ITA traffic is included in the overall traffic statistics.
Quota-out offline	Whether to prohibit the portal user from accessing the authorized IP subnets when the user has used up its ITA data quota: · Enabled—User cannot access the authorized IP subnets after its ITA data quota is used up. · Disabled—User can access the authorized IP subnets after its ITA data quota is used up.
Level-n Session duration	Authorization session duration and the remaining session duration for ITA traffic of level n. The number n is in the range of 1 to 8. If the session duration is not authorized, this field displays N/A.
Remaining traffic	Remaining ITA traffic for the portal user.
Traffic action	Action for traffic destined for the authorized IP subnets when the portal user has used up its ITA data quota: · Permit—Permits traffic destined for the authorized IP subnets. · Deny—Denies traffic destined for the authorized IP subnets.
Inbound CAR	Authorized inbound CAR for ITA traffic: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · active—The authorized inbound CAR is applied to the user access interface successfully. · inactive—The authorized inbound CAR is not applied to the user access interface. · N/A—No inbound CAR is authorized.
Outbound CAR	Authorized outbound CAR for ITA traffic: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · active—The authorized outbound CAR is applied to the user access interface successfully. · inactive—The authorized outbound CAR is not applied to the user access interface. · N/A—No outbound CAR is authorized.
Uplink packets/bytes	Number of packets and bytes counted for the upstream ITA traffic.
Downlink packets/bytes	Number of packets and bytes counted for the downstream ITA traffic.

Related commands

portal enable

display portal user count

Use display portal user count to display the number of portal users.

Syntax

display portal user count

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the number of portal users.

<Sysname> display portal user count

Total number of users: 1

Related commands

portal delete-user

portal enable

display portal web-server

Use display portal web-server to display information about portal Web servers.

Syntax

display portal web-server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify the server-name argument, this command displays information about all portal Web servers.

Examples

# Display information about the portal Web server wbs.

<Sysname> display portal web-server wbs

Portal Web server: wbs

Type : IMC

URL : http://www.test.com/portal

URL parameters : userurl=http://www.test.com/welcome

userip=source-address

VPN instance : Not configured

Server detection : Interval: 120s Attempts: 5 Action: log

IPv4 status : Up

IPv6 status : Up

Captive-bypass : Enabled

If-match : original-url: http://2.2.2.2, redirect-url http://192.168.56.2

Table 15 Command output

Field	Description
Type	Portal Web server type: · CMCC—CMCC server. · iMC—IMC server.
Portal Web server	Name of the portal Web server.
URL	URL of the portal Web server.
URL parameters	URL parameters for the portal Web server.
VPN instance	Name of the MPLS L3VPN where the portal Web server resides.
Server detection	Parameters for portal Web server detection: · Detection interval in seconds. · Maximum number of detection attempts. · Action (log) triggered by the reachability status change of the portal Web server.
IPv4 status	Current state of the IPv4 portal Web server: · Up—This value indicates one of the following conditions: ¡ Portal Web server detection is disabled. ¡ Portal Web server detection is enabled and the server is reachable. · Down—Portal Web server detection is enabled and the server is unreachable.
IPv6 status	‌ Current state of the IPv6 portal Web server: · Up—This value indicates one of the following conditions: ¡ Portal Web server detection is disabled. ¡ Portal Web server detection is enabled and the server is reachable. · Down—Portal Web server detection is enabled. The server is unreachable.
Captive-bypass	Status of the captive-bypass feature: · Enabled—The captive-bypass feature is enabled. · Disabled—The captive-bypass feature is disabled. · Optimize Enabled—The optimized captive-bypass feature is enabled.
If-match	Match rules configured for URL redirection. If no match rules are configured, this field displays Not configured.

Related commands

portal enable

portal web-server

server-detect (portal Web server view)

display web-redirect rule

Use display web-redirect rule to display information about Web redirect rules.

Syntax

In standalone mode:

display web-redirect rule interface interface-type interface-number [ slot slot-number ]

In IRF mode:

display web-redirect rule interface interface-type interface-number [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays Web redirect rules for the active MPU. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays Web redirect rules for the global active MPU. (In IRF mode.)

Examples

# Display all Web redirect rules on GigabitEthernet 3/1/1

<Sysname> display web-redirect rule interface gigabitethernet 3/1/1

IPv4 web-redirect rules on GigabitEthernet3/1/1:

Rule 1:

Type : Dynamic

Action : Permit

Status : Active

Source:

IP : 192.168.2.114

VLAN : Any

Rule 2:

Type : Static

Action : Redirect

Status : Active

Source:

VLAN : Any

Protocol : TCP

Destination:

Port : 80

IPv6 web-redirect rules on GigabitEthernet3/1/1:

Rule 1:

Type : Static

Action : Redirect

Status : Active

Source:

VLAN : Any

Protocol : TCP

Destination:

Port : 80

Table 16 Command output

Field	Description
Rule	Number of the Web redirect rule.
Type	Type of the Web redirect rule: · Static—Static Web redirect rule, generated when the Web redirect feature takes effect. · Dynamic—Dynamic Web redirect rule, generated when a user visits a redirect webpage.
Action	Action in the Web redirect rule: · Permit—Allows packets to pass. · Redirect—Redirects the packets.
Status	Status of the Web redirect rule: · Active—The Web redirect rule is effective. · Inactive—The Web redirect rule is not effective.
Source	Source information in the Web redirect rule.
IP	Source IP address.
Mask	Subnet mask of the source IPv4 address.
Prefix length	Prefix length of the source IPv6 address.
VLAN	Source VLAN. If not specified, this field displays Any.
Protocol	Transport layer protocol. This field can only be TCP for a Web redirect rule.
Destination	Destination information in the Web redirect rule.
Port	Destination transport layer port number. The default port number is 80.

exclude-attribute

Use exclude-attribute to exclude an attribute from portal protocol packets.

Use undo exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

Default

No attributes are excluded from portal protocol packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

number: Specifies an attribute by its number, in the range of 1 to 255.

ack-auth: Excludes the attribute from ACK_AUTH packets.

ack-challenge: Excludes the attribute from ACK_CHALLENGE packets.

ack-info: Excludes the attribute from ACK_INFO packets.

ack-logout: Excludes the attribute from ACK_LOGOUT packets.

ack-ntf-user-heartbeat: Excludes the attribute from ACK_NTF_USER_HEARTBEAT packets.

ntf-challenge: Excludes the attribute from NTF_CHALLENGE packets.

ntf-logout: Excludes the attribute from NTF_LOGOUT packets.

ntf-user-notify: Excludes the attribute from NTF_USER_NOTIFY packets.

ntf-useripchange: Excludes the attribute from NTF_USERIPCHANGE packets.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.

To address this issue, you can configure this command to exclude the unsupported attributes from specific portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes. For an excluded attribute, you can specify multiple types of portal protocol packets (ack-auth, ntf-logout, and ack-logout).

If you do not specify any type of portal protocol packets in this command, the device excludes the specified attribute from all portal protocol packets.

Table 17 describes all attributes of the portal protocol.

Table 17 Portal attributes

Name	Number	Description
UserName	1	Name of the user to be authenticated.
PassWord	2	User password in plaintext form.
Challenge	3	Random challenge for CHAP authentication.
ChapPassWord	4	CHAP password encrypted by MD5.
TextInfo	5	The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server. The attribute value can be any string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.
UpLinkFlux	6	Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB.
DownLinkFlux	7	Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.
Port	8	Port information, a string excluding the end character '\0'.
IP-Config	9	This attribute has different meanings in different types of packets. · The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP. · The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.
BAS-IP	10	IP address of the access device. For re-DHCP portal authentication, the value of this attribute is the public IP address of the access device.
Session-ID	11	Identifier of a portal user. Generally, the value of this attribute is the MAC address of the portal user.
Delay-Time	12	Delay time for sending a packet. This attributes exists in NTF_LOGOUT (Type=0x08) packets.
User-List	13	List of IP addresses of an IPv4 portal user.
EAP-Message	14	An EAP attribute that needs to be transported transparently. This attribute is applicable to EAP TLS authentication. Multiple EAP-Message attributes can exist in a portal authentication packet.
User-Notify	15	Value of the hw_User_Notify attribute in a RADIUS accounting response. This attribute needs to be transported transparently.
BAS-IPv6	16	IPv6 address of the access device.
UserIPv6-List	101	List of IPv6 addresses of an IPv6 portal user.

Examples

# Exclude the UpLinkFlux attribute (number 6) from portal ACK_AUTH packets.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] exclude-attribute 6 ack-auth

Related commands

display portal server

free-traffic threshold

Use free-traffic threshold to specify the free-traffic threshold for portal users.

Use undo free-traffic threshold to restore the default.

Syntax

free-traffic threshold value

undo free-traffic threshold

Default

The free-traffic threshold is 0 bytes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the free-traffic threshold in the range of 0 to 10240000 bytes. If the free-traffic threshold is set to 0, the device immediately triggers MAC-based quick portal authentication for a user once the user's traffic is deleted.

Usage guidelines

After MAC-based quick portal authentication is configured, the device monitors a user's network traffic (sent and received) in real time before the MAC-trigger entry for the user ages out. A user can access the network without authentication if the user's network traffic is below the free-traffic threshold. When the user's network traffic reaches the threshold, the device triggers MAC-based quick portal authentication for the user.

If the user passes portal authentication, the device deletes the MAC-trigger entry and clears the user traffic statistics. If the user fails authentication, the device does not trigger MAC-based quick authentication for the user before the MAC-trigger entry ages out. When the MAC-trigger entry ages out, the device clears the user traffic statistics.

When traffic is detected from the user again, the device re-creates a MAC-trigger entry for the user and repeats the previous procedure.

Examples

# Specify the free-traffic threshold for portal users as 10240 bytes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] free-traffic threshold 10240

Related commands

display mac-trigger-server

if-match

Use if-match to configure a match rule for URL redirection.

Use undo if-match to delete a URL redirection match rule.

Syntax

if-match { original-url url-string redirect-url url-string [ url-param-encryption { aes | des } key { cipher | simple } string ] | user-agent string redirect-url url-string }

undo if-match { original-url url-string | user-agent user-agent }

Default

No URL redirection match rules exist.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

original-url url-string: Specifies a URL string to match the URL in HTTP requests of a portal user. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

url-param-encryption: Specifies an encryption algorithm to encrypt the parameters carried in the redirection URL. If you do not specify an encryption algorithm, the parameters carried in the redirection URL are not encrypted.

aes: Specifies the AES algorithm.

des: Specifies the DES algorithm.

key: Specifies a key for encryption.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:

· If des cipher is specified, the string length is 41 characters.

· If des simple is specified, the string length is 8 characters.

· If aes cipher is specified, the string length is 1 to 73 characters.

· If aes simple is specified, the string length is 1 to 31 characters.

user-agent user-agent: Specifies a user agent string to match the User-Agent string in HTTP or HTTPS requests. The user agent string is a case-sensitive string of 1 to 255 characters. The User-Agent string in HTTP or HTTPS requests includes information about hardware manufacturer, operating system, browser, and search engine.

Usage guidelines

A URL redirection match rule matches HTTP or HTTPS requests by user-requested URL or User-Agent information, and redirects the matching HTTP or HTTPS requests to the specified redirection URL.

For a user to successfully access a redirection URL, configure a portal-free rule to allow HTTP or HTTPS requests destined for the redirection URL to pass. For information about configuring portal-free rules, see the portal free-rule command.

For a portal Web server, you can configure the url command and the if-match command for URL redirection. The url command redirects all HTTP or HTTPS requests from unauthenticated users to the portal Web server for authentication. The if-match command allows for flexible URL redirection by redirecting specific HTTP or HTTPS requests to specific redirection URLs. If both commands are executed, the if-match command takes priority to perform URL redirection.

Examples

# Configure a match rule to redirect HTTP requests destined for URL http://www.abc.com.cn to URL http://192.168.0.1 and use DES to encrypt the parameters carried in this redirection URL.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn redirect-url http://192.168.0.1 url-param-encryption des key simple 12345678

# Configure a match rule to redirect HTTP requests that carry the user agent string 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to URL http://192.168.0.1.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1

Related commands

display portal web-server

portal free-rule

url

url-parameter

ip (MAC binding server view)

Use ip to specify the IP address of a MAC binding server.

Use undo ip to restore the default.

Syntax

ip ipv4-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]

undo ip

Default

The IP address of the MAC binding server is not specified.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IP address of a MAC binding server.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the MAC binding server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the MAC binding server belongs to the public network, do not specify this option.

key: Specifies a shared key for securing communication between the device and the MAC binding server. Portal packets exchanged between the device and MAC binding server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to verify the correctness of the received portal packets. If you do not specify a shared key, the device and MAC binding server do not authenticate the packets between them.

cipher: Specifies a shared key in encrypted form.

simple: Specifies a shared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the shared key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Specify 192.168.0.111 as the IP address of MAC binding server mts and specify plaintext key portal for securing communication between the device and the MAC binding server.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal

Related commands

display mac-trigger-server

ip (portal authentication server view)

Use ip to specify the IPv4 address of a portal authentication server.

Use undo ip to restore the default.

Syntax

ip ipv4-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]

undo ip

Default

The IPv4 address of the portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IP address of the IPv4 portal authentication server.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the portal authentication server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the portal authentication server belongs to the public network, do not specify this option.

key: Specifies a shared key for securing communication between the device and the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

A portal authentication server has only one IPv4 address. Therefore, in portal authentication server view, only one IPv4 address exists. If you execute this command multiple times, the most recent configuration takes effect.

Do not configure the same IPv4 address and MPLS L3VPN for different portal authentication servers.

Examples

# Specify 192.168.0.111 as the IPv4 address of portal authentication server pts and specify plaintext key portal for securing communication between the device and the IPv4 portal authentication server.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ip 192.168.0.111 key simple portal

Related commands

display portal server

portal server

ipv6

Use ipv6 to specify the IPv6 address of a portal authentication server.

Use undo ipv6 to restore the default.

Syntax

ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]

undo ipv6

Default

The IPv6 address of the portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IP address of the IPv6 portal authentication server.

key: Specifies a shared key for securing the communication between the device and the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

A portal authentication server has only one IPv6 address. Therefore in portal authentication server view, only one IPv6 address exists. If you execute this command multiple times, the most recent configuration takes effect.

Do not configure the same IPv6 address and MPLS L3VPN for different portal authentication servers.

Examples

# Specify 2000::1 as the IPv6 address of portal authentication server pts and specify plaintext key portal for securing the communication between the device and the IPv6 portal authentication server.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ipv6 2000::1 key simple portal

Related commands

display portal server

portal server

logon-page bind

Use logon-page bind to bind an endpoint type to an authentication page file.

Use undo logon-page bind to unbind the endpoint type from the authentication page file.

Syntax

logon-page bind device-type type-name file file-name

undo logon-page bind { all | device-type type-name }

Default

No endpoint type is bound to an authentication page file.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

all: Specifies all endpoint types.

device-type type-name: Specifies an endpoint type, a case-sensitive string of 1 to 127 characters. The specified endpoint type must have been predefined on the device. Otherwise, the bound authentication page file does not take effect.

file file-name: Specifies an authentication page file by the file name (without the file storage directory). A file name is a string of 1 to 91 characters, and can contain letters, digits, and underscores (_). You must edit the authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

Usage guidelines

This command implements customized authentication page pushing for portal users. After you configure this command, the device pushes authentication pages to users according to the endpoint type.

When a Web user triggers local portal authentication, the device searches for a binding that matches the user's endpoint type. If the binding does not exist, the device pushes the default authentication pages to the user. If the default authentication page file is not specified (by using the default-logon-page command), the user cannot perform local portal authentication.

When you configure this command, follow these restrictions and guidelines:

· If the name or content of the file in a binding entry is changed, you must reconfigure the binding.

· To reconfigure or modify a binding, simply re-execute this command without canceling the existing binding.

· If you execute this command multiple times to bind an endpoint type to different authentication page files, the most recent configuration takes effect.

· You can configure multiple binding entries on the device.

Examples

# Create an HTTP-based local portal Web service.

<Sysname> system-view

[Sysname] portal local-web-server http

# Bind endpoint type iphone to authentication page file file2.zip.

[Sysname-portal-local-websvr-http] logon-page bind device-type iphone file file2.zip

Related commands

default-logon-page

portal local-web-server

logout-notify

Use logout-notify to set the maximum number of times and the interval for retransmitting a logout notification packet.

Use undo logout-notify to restore the default.

Syntax

logout-notify retry retries interval interval

undo logout-notify

Default

The device does not retransmit a logout notification packet.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

retry retries: Specifies the maximum number of retries, in the range of 1 to 5.

interval interval: Specifies the retry interval, in the range of 1 to 10 seconds.

Usage guidelines

A logout notification packet is a UDP packet that the device sends to the portal authentication server for forcibly logging out a portal user. To increase the delivery reliability, you can set the maximum number of times and the interval for retransmitting a logout notification packet.

After the device sends a logout notification packet for logging out a portal user, it waits for a response from the portal authentication server. If the device receives a response within the specified period of time (maximum number of retries × retry interval), it logs out and deletes the user immediately. If the device does not receive a response within the period of time, the device logs out and deletes the user when the period of time elapses.

Examples

# Set the maximum number of times for retransmitting a logout notification packet to 3 and the retry interval to 5 seconds.

<Sysname> system-view

[Sysname] portal server pt

[Sysname-portal-server-pt] logout-notify retry 3 interval 5

Related commands

display portal server

nas-port-type

Use nas-port-type to specify the NAS-Port-Type value carried in RADIUS requests sent to the RADIUS server.

Use undo nas-port-type to restore the default.

Syntax

nas-port-type value

undo nas-port-type

Default

The NAS-Port-Type value carried in RADIUS requests is not set.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the NAS-Port-Type value in the range of 1 to 255.

Usage guidelines

Some MAC binding servers identify MAC-based quick portal authentication by a specific NAS-Port-Type value in received RADIUS requests. To communicate with such a MAC binding server, you must configure the device to use the NAS-Port-Type value required by the MAC binding server.

Examples

# Set the NAS-Port-Type value to 30 for RADIUS requests sent to MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] nas-port-type 30

Related commands

display mac-trigger-server

port (MAC binding server view)

Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The MAC binding server listens for MAC binding query packets on UDP port 50100.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

port-number: Specifies the listening UDP port number in the range of 1 to 65534.

Usage guidelines

The specified port number must be the same as the query listening port number configured on the MAC binding server.

Examples

# Set the UDP port number to 1000 for MAC binding server pts to listen for MAC binding query packets.

<sysname> system-view

[sysname] portal mac-trigger-server mts

[sysname-portal-mac-trigger-server-mts] port 1000

Related commands

display mac-trigger-server

port (portal authentication server view)

Use port to set the destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The device uses 50100 as the destination UDP port number for unsolicited portal packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

port-number: Specifies a destination UDP port number the device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534.

Usage guidelines

The specified port must be the port that listens to portal packets on the portal authentication server.

Examples

# Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to portal authentication server pts.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] port 50000

Related commands

portal server

portal { bas-ip | bas-ipv6 }

Use portal { bas-ip | bas-ipv6 } to configure the BAS-IP or BAS-IPv6 attribute carried in the portal packets sent to the portal authentication server.

Use undo portal { bas-ip | bas-ipv6 } to restore the default.

Syntax

portal { bas-ip ipv4-address | bas-ipv6 ipv6-address }

undo portal { bas-ip | bas-ipv6 }

Default

The BAS-IP attribute of an IPv4 portal reply packet sent to the portal authentication server is the source IPv4 address of the packet. The BAS-IPv6 attribute of an IPv6 portal reply packet sent to the portal authentication server is the source IPv6 address of the packet.

The BAS-IP attribute of an IPv4 portal notification packet sent to the portal authentication server is the IPv4 address of the packet's output interface. The BAS-IPv6 attribute of an IPv6 portal notification packet sent to the portal authentication server is the IPv6 address of the packet's output interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies BAS-IP for portal packets sent to the portal authentication server. This attribute must be the IPv4 address of an interface on the device. It cannot be 0.0.0.0, 1.1.1.1, a class D address, a class E address, or a loopback address.

ipv6-address: Specifies BAS-IPv6 for portal packets sent to the portal authentication server. This attribute must be the IPv6 address of an interface on the device. It cannot be a multicast address, an all-0 address, or a link-local address.

Usage guidelines

If the device runs Portal 2.0, unsolicited portal packets (such as a logout notification packet) sent to the portal authentication server must carry the BAS-IP attribute. If the device runs Portal 3.0, unsolicited portal packets sent to the portal authentication server must carry the BAS-IP or BAS-IPv6 attribute.

After this command takes effect, the source IP address for unsolicited notification portal packets the device sends to the portal authentication server is the configured BAS IP address. If the attribute is not configured, the source IP address of the packets is the IP address of the packet output interface.

You must configure the BAS-IP or BAS-IPv6 attribute on a portal authentication-enabled interface if the following conditions are met:

· The portal authentication server is an H3C IMC server or the portal authentication mode on the interface is re-DHCP.

· The portal device IP address specified on the portal authentication server is not the IP address of the portal packet output interface.

Examples

# On interface GigabitEthernet 3/1/1, configure the BAS-IP attribute as 2.2.2.2 for portal packets sent to the portal authentication server.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal bas-ip 2.2.2.2

Related commands

display portal

portal { ipv4-max-user | ipv6-max-user }

Use portal { ipv4-max-user | ipv6-max-user } to set the maximum number of portal users allowed on an interface.

Use undo portal { ipv4-max-user | ipv6-max-user } to restore the default.

Syntax

portal { ipv4-max-user | ipv6-max-user } max-number

undo portal { ipv4-max-user | ipv6-max-user }

Default

The maximum number of portal users allowed on an interface is not limited.

Views

Interface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of IPv4 or IPv6 portal users allowed on an interface, in the range of 1 to 4294967295.

Usage guidelines

If the specified maximum number is smaller than the number of current online portal users on the interface, the limit can be set successfully. The limit does not impact the online portal users. However, the device does not allow new portal users to log in from the interface until the number drops down below the limit.

Examples

# Set the maximum number of IPv4 portal users to 100 on GigabitEthernet 3/1/1

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal ipv4-max-user 100

Related commands

display portal user

portal max-user

portal access-info trust

Use portal access-info trust to configure the device to obtain user information from ARP or ND entries.

Use portal access-info trust to restore the default.

Syntax

portal access-info trust { arp | nd }

undo portal access-info trust { arp | nd }

Default

The device obtains user information from FIB entries.

Views

System view

Predefined user roles

network-admin

Parameters

arp: Obtains user information from ARP entries.

nd: Obtains user information from ND entries.

Usage guidelines

In an IPoE Web authentication network, when the device receives portal packets from the portal authentication server, it obtains user access information to complete authentication for users.

By default, the device obtains the user access information from FIB entries in the VPN instance of the portal authentication server. In the following situation, however, the device cannot get user access information from FIB and therefore users cannot pass Web authentication:

· The DHCP access users and the portal authentication server belong to different VPN instances.

· The user access interface is not bound to a VPN instance.

To resolve this issue, you can configure the device to obtain user access information from ARP or ND entries during Web authentication.

To use this feature, make sure the VPN instances do not have overlapping IP addresses. Otherwise, this feature cannot ensure normal user logins.

Examples

# Configure the device to get user access information from ARP entries.

<Sysname> system-view

[Sysname] portal access-info trust arp

portal apply mac-trigger-server

Use portal apply mac-trigger-server to specify a MAC binding server.

Use undo portal apply mac-trigger-server to restore the default.

Syntax

portal apply mac-trigger-server server-name

undo portal apply mac-trigger-server

Default

No MAC binding server is specified.

Views

Interface view

Predefined user roles

network-admin

Parameters

server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

Only IPv4 direct authentication supports MAC-based quick authentication.

For MAC-based quick portal authentication to take effect, perform the following tasks:

· Configure normal portal authentication.

· Configure a MAC binding server.

· Specify the MAC binding server on a portal enabled interface.

Examples

# Specify MAC binding server mts on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal apply mac-trigger-server mts

Related commands

portal mac-trigger-server

portal apply pre-auth-policy

Use portal apply pre-auth-policy to apply a portal preauthentication policy to an interface.

Use undo portal apply pre-auth-policy to restore the default.

Syntax

portal [ ipv6 ] apply pre-auth-policy policy-name

undo portal [ ipv6 ] apply pre-auth-policy

Default

No portal preauthentication policy is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies a portal preauthentication policy for IPv6 portal users. Do not specify this keyword for IPv4 portal users.

policy-name: Specifies a portal preauthentication policy by its name, a case-insensitive string of 1 to 64 characters.

Usage guidelines

A portal preauthentication policy defines user attributes assigned to preauthentication portal users on a portal-enabled interface after the users obtain IP addresses. Before the preauthentication users pass portal authentication, they have limited access to the network based on the assigned user attributes (such as ACL, user profile, and CAR). After the users pass portal authentication, they are assigned new attributes by the AAA server. After the users go offline, they are reassigned user attributes in the preauthentication policy.

A portal preauthentication policy takes effect only on portal users with IP addresses assigned by DHCP or DHCPv6.

A portal preauthentication policy does not take effect on an interface enabled with cross-subnet portal authentication.

If you modify a user attribute (or its contents) in a portal preauthentication policy, the modification immediately takes effect on the policy-applied interface for preauthentication users.

Example

# Apply portal preauthentication policy abc to GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal apply pre-auth-policy abc

Related commands

portal pre-auth policy

portal apply web-server

Use portal [ ipv6 ] apply web-server to specify a portal Web server. The device redirects the HTTP or HTTPS requests sent by unauthenticated portal users to the portal Web server.

Use undo portal [ ipv6 ] apply web-server to restore the default.

Syntax

portal [ ipv6 ] apply web-server server-name [ fail-permit ]

undo portal [ ipv6 ] apply web-server

Default

No portal Web server is specified.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 portal Web server. If the server is an IPv4 portal Web server, do not specify this keyword.

server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters. The name must already exist.

fail-permit: Enables the portal fail-permit feature on the interface. The portal fail-permit feature allows portal users to access the Internet without authentication when the portal Web server is unreachable.

Usage guidelines

You can enable both IPv4 and IPv6 portal authentication on an interface. Therefore, you can specify both an IPv4 portal Web server and an IPv6 portal Web server on the interface.

When portal fail-permit is enabled for a portal authentication server and a portal Web server on the interface, portal authentication is disabled for users on the interface if either server is unreachable. Portal authentication resumes after both servers become reachable.

Examples

# Specify portal Web server wbs on GigabitEthernet 3/1/1 for portal authentication.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal apply web-server wbs

Related commands

display portal

portal fail-permit server

portal web-server

portal authorization strict-checking

Use portal authorization strict-checking to enable strict checking on portal authorization information.

Use undo portal authorization strict-checking to disable strict checking on portal authorization information.

Syntax

portal authorization { acl | user-profile } strict-checking

undo portal authorization { acl | user-profile } strict-checking

Default

Strict checking on portal authorization information is disabled. If an authorized ACL or user profile does not exist on the device or the ACL or user profile fails to be deployed, the user will not be logged out.

Views

Interface view

Predefined user roles

network-admin

Parameters

acl: Enables strict checking on authorized ACLs.

user-profile: Enables strict checking on authorized user profiles.

Usage guidelines

You can enable strict checking on authorized ACLs, authorized user profiles, or both. If you enable both strict ACL checking and user profile checking, the user will be logged out if either checking fails.

An ACL/user profile checking fails when the authorized ACL/user profile does not exist on the device or the ACL/user profile fails to be deployed.

Examples

# Enable strict checking on authorized ACLs on GigabitEthernet 3/1/1

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname–GigabitEthernet3/1/1] portal authorization acl strict-checking

Related commands

display portal

portal delete-user

Use portal delete-user to log out online portal users.

Syntax

portal delete-user { ipv4-address | all | interface interface-type interface-number | ipv6 ipv6-address | session-id session-id | username username }

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IP address of an IPv4 online portal user.

all: Specifies IPv4 and IPv6 online portal users on all interfaces.

interface interface-type interface-number: Specifies an interface by its type and number. If you specify this option, this command logs out all IPv4 and IPv6 online portal users on the interface.

ipv6 ipv6-address: Specifies the IP address of an IPv6 online portal user.

session-id session-id: Specifies the session ID of an online portal user. The session-id argument is a string of 1 to 64 characters and cannot contain a letter. A session ID uniquely identifies an online portal user.

username username: Specifies the username of an online portal user, a case-sensitive string of 1 to 253 characters.

Examples

# Log out the online portal user whose IP address is 1.1.1.1.

<Sysname> system-view

[Sysname] portal delete-user 1.1.1.1

Related commands

display portal user

portal device-id

Use portal device-id to specify the device ID.

Use undo portal device-id to restore the default.

Syntax

portal device-id device-id

undo portal device-id

Default

A device is not configured with a device ID.

Views

System view

Predefined user roles

network-admin

Parameters

device-id: Specifies a device ID for the device, a case-sensitive string of 1 to 63 characters.

Usage guidelines

The portal authentication server uses device IDs to identify the device that sends protocol packets to the portal server.

Make sure the configured device ID is different than any other access devices communicating with the same portal authentication server.

Examples

# Set the device ID of the device to 0002.0010.100.00.

<Sysname> system-view

[Sysname] portal device-id 0002.0010.100.00

portal domain

Use portal [ ipv6 ] domain to specify a portal authentication domain on an interface. All portal users accessing through the interface must use the authentication domain.

Use undo portal [ ipv6 ] domain to delete the configured portal authentication domain.

Syntax

portal [ ipv6 ] domain domain-name

undo portal [ ipv6 ] domain

Default

No portal authentication domain is configured on an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an authentication domain for IPv6 portal users. Do not specify this keyword for IPv4 portal users.

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

You can specify both an IPv4 portal authentication domain and an IPv6 portal authentication domain on an interface.

Do not specify the ipv6 keyword for IPv4 portal users.

Examples

# Specify ISP domain my-domain as the authentication domain for IPv4 portal users on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname–GigabitEthernet3/1/1] portal domain my-domain

Related commands

display portal

portal enable

Use portal [ ipv6 ] enable to enable portal authentication.

Use undo portal [ ipv6 ] enable to disable portal authentication.

Syntax

portal enable method { direct | layer3 | redhcp }

portal ipv6 enable method { direct | layer3 }

undo portal [ ipv6 ] enable

Default

Portal authentication is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Enables IPv6 portal authentication. Do not specify this keyword for IPv4 portal authentication.

method: Specifies an authentication mode:

· direct—Direct authentication.

· layer3—Cross-subnet authentication.

· redhcp—Re-DHCP authentication.

Usage guidelines

To modify the portal authentication mode, first execute the undo form of this command to disable portal authentication.

Make sure the device supports IPv6 ACL and IPv6 forwarding before you enable IPv6 portal authentication on the interface.

IPv6 portal authentication does not support the re-DHCP authentication mode.

You can enable both IPv4 and IPv6 portal authentication on an interface.

Do not add a portal authentication-enabled Ethernet interface to an aggregation group. Otherwise, portal authentication cannot take effect on the interface.

Examples

# Enable direct IPv4 portal authentication on GigabitEthernet 3/1/1

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal enable method direct

Related commands

display portal

portal fail-permit server

Use portal [ ipv6 ] fail-permit server to enable the portal fail-permit feature for a portal authentication server on the interface.

Use undo portal [ ipv6 ] fail-permit server to disable the portal fail-permit feature for the portal authentication server.

Syntax

portal [ ipv6 ] fail-permit server server-name

undo portal [ ipv6 ] fail-permit server

Default

Portal fail-permit is disabled for the portal authentication server.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 portal authentication server. Do not specify this keyword for an IPv4 portal authentication server.

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

When portal fail-permit is enabled for a portal authentication server and a portal Web server on an interface, the interface disables portal authentication for portal users if either server is unreachable. Portal authentication resumes on the interface when both servers become reachable. After portal authentication resumes, unauthenticated portal users need to pass authentication to access network resources. Portal users who has passed authentication can continue accessing network resources.

You can enable portal fail-permit for at most one portal authentication server and one portal Web server on an interface.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable portal fail-permit for portal authentication server pts1 on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal fail-permit server pts1

Related commands

display portal

portal free-rule

Use portal free-rule to configure an IP-based portal-free rule.

Use undo portal free-rule to delete portal-free rules.

Syntax

portal free-rule rule-number { destination ip { ipv4-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | source ip { ipv4-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] } * [ interface interface-type interface-number ]

portal free-rule rule-number { destination ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] | source ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] } * [ interface interface-type interface-number ]

undo portal free-rule { rule-number | all }

Default

No IP-based portal-free rule is configured.

Views

System view

Predefined user roles

network-admin

Parameters

rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295.

destination: Specifies the destination information.

source: Specifies the source information.

ip ipv4-address: Specifies an IPv4 address for the portal-free rule.

{ mask-length | mask }: Specifies the subnet mask of the IPv4 address. The value range for the mask-length argument is 0 to 32. The mask argument is in dotted decimal format.

ipv6 ipv6-address: Specifies an IPv6 address for the portal-free rule.

prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.

ip any: Represents any IPv4 address.

ipv6 any: Represents any IPv6 address.

tcp tcp-port-number: Specifies a TCP port number for the portal-free rule, in the range of 0 to 65535.

udp udp-port-number: Specifies a UDP port number for the portal-free rule, in the range of 0 to 65535.

all: Specifies all portal-free rules.

interface interface-type interface-number: Specifies a Layer 3 interface on which the portal-free rule takes effect.

Usage guidelines

You can specify both the source and destination keyword for a portal-free rule. If you specify only one keyword, the other keyword does not act as a filtering criterion.

If you specify both a source port number and a destination port number for a portal-free rule, the two port numbers must belong to the same transport layer protocol.

If you do not specify a Layer 3 interface, the portal-free rule takes effect on all portal-enabled interfaces.

You cannot configure two portal-free rules with the same filtering criteria.

Examples

# Configure an IPv4-based portal-free rule:

· Set the rule number to 1.

· Specify the source IP address as 10.10.10.1/24, the destination IP address as 20.20.20.1, and the destination TCP port number as 23.

· Specify the interface where the rule is applied as GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] portal free-rule 1 destination ip 20.20.20.1 32 tcp 23 source ip 10.10.10.1 24 interface gigabitethernet 3/1/1

With this rule, users in subnet 10.10.10.1/24 do not need to pass portal authentication on GigabitEthernet 3/1/1 when they access services provided on TCP port 23 of host 20.20.20.1.

# Configure an IPv6-based portal-free rule:

· Set the rule number to 2.

· Specify the source IP address as 2000::1/64, the destination IP address as 2001::1, and the destination TCP port number as 23.

· Specify the interface where the rule is applied as GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] portal free-rule 2 destination ipv6 2001::1 128 tcp 23 source ipv6 2000::1 64 interface gigabitethernet 3/1/1

With this rule, users in subnet 2000::1/64 do not need to pass portal authentication on GigabitEthernet 3/1/1 when they access services provided on TCP port 23 of host 2001::1

Related commands

display portal rule

portal free-rule destination

Use portal free-rule destination to configure a destination-based portal-free rule.

Use undo portal free-rule to delete portal-free rules.

Syntax

portal free-rule rule-number destination host-name

undo portal free-rule { rule-number | all }

Default

No destination-based portal-free rule is configured.

Views

System view

Predefined user roles

network-admin

Parameters

rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295.

destination: Specifies the destination host.

host-name: Specifies the destination host by its name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, hyphens (-), underscores (_), dots (.), and asterisks (*). The host name string cannot be i, ip, ipv, or ipv6.

all: Specifies all portal-free rules.

Usage guidelines

Before you configure destination-based portal-free rules, make sure a DNS server has been deployed on the network.

You can configure a host name in one of the following ways:

· For exact match—Specify a complete host name. For example, if you configure the host name as abc.com.cn in the portal-free rule, only packets that contain the host name abc.com.cn match the rule. Packets that carry any other host names (such as dfabc.com.cn) do not match the rule.

· For fuzzy match—Specify a host name by placing the asterisk (*) wildcard character at the beginning or end of the host name string. For example, if you configure the host name as *abc.com.cn, abc*, or *abc*, packets that carry the host name ending with abc.com.cn, starting with abc, or including abc match the rule.

¡ The asterisk (*) wildcard character represents any characters. The device treats multiple consecutive asterisks as one.

¡ The configured host name cannot contain only asterisks (*).

The fuzzy match feature takes effect only on HTTP or HTTPS requests initiated by Web browsers.

You cannot configure two destination-based portal-free rules with the same destination information. Otherwise the system prompts you that the same rule already exists.

Examples

# Configure a destination-based portal-free rule: specify the rule number as 4 and the host name as www.h3c.com. This rule allows the portal user who sends the HTTP/HTTPS request that carries the host name www.h3c.com to access network resources without authentication.

<Sysname> system-view

[Sysname] portal free-rule 4 destination www.h3c.com

Related commands

display portal rule

portal free-rule source

Use portal free-rule source to configure a source-based portal-free rule. The filtering criteria include source interface and source VLAN.

Use undo portal free-rule to delete a specific or all portal-free rules.

Syntax

portal free-rule rule-number source { interface interface-type interface-number | vlan vlan-id } *

undo portal free-rule { rule-number | all }

Default

No source-based portal-free rules exist.

Views

System view

Predefined user roles

network-admin

Parameters

rule-number: Specifies a portal-free rule number. The value range for this argument in the range of 0 to 4294967295.

interface interface-type interface-number: Specifies a source interface by its type and number for the portal-free rule.

vlan vlan-id: Specifies a source VLAN ID for the portal-free rule. This option takes effect only on portal users that access the network through VLAN interfaces.

all: Specifies all portal-free rules.

Usage guidelines

If you specify both the source VLAN and the source Layer 2 interface, the interface must be in the VLAN.

Examples

# Configure source-based portal-free rule: specify the rule number as 3 and source VLAN ID as 10. This rule allows portal users from VLAN 10 to access network resources without authentication.

<Sysname> system-view

[Sysname] portal free-rule 3 source vlan 10

Related commands

display portal rule

portal http-defense

Use portal http-defense to set portal HTTP and HTTPS attack defense parameters.

Use undo portal http-defense to restore the default.

Syntax

portal http-defense { block-timeout minutes | statistics-interval value | threshold number } *

undo portal http-defense { block-timeout minutes | statistics-interval value | threshold number } *

Default

The blocking timer is 10 minutes, the statistical interval for counting redirected HTTP requests is 5 minutes, and the blocking threshold is 6000 packets.

Views

System view

Predefined user roles

network-admin

Parameters

block-timeout minutes: Specifies the blocking timer, in the range of 1 to 60 minutes.

statistics-interval value: Specifies the statistical interval for counting redirected HTTP requests, in the range of 1 to 60 minutes.

threshold number: Specifies the blocking threshold, in the range of 100 to 4294967295 packets.

Usage guidelines

The portal HTTP and HTTPS attack defense feature counts the number of HTTP and HTTPS requests to be redirected on a per destination IP address basis. If the number of redirected HTTP and HTTPS requests for an IP address reaches the blocking threshold within a statistical interval, the device starts a blocking timer for the IP address. Before the blocking timer expires, the device discards all subsequent HTTP and HTTPS requests destined for the IP address.

If you modify the configuration, the new configuration takes effect on subsequent HTTP and HTTPS requests.

Examples

# Set portal HTTP and HTTPS attack defense parameters: the blocking timer to 5 minutes, the statistical interval to 2 minutes, and the blocking threshold to 200 packets.

<Sysname> system-view

[Sysname] portal http-defense block-timeout 5 statistics-interval 2 threshold 200

Related commands

portal http-defense enable

portal http-defense max-ip-number

portal http-defense enable

Use portal http-defense enable to enable portal HTTP and HTTPS attack defense.

Use undo portal http-defense enable to disable portal HTTP and HTTPS attack defense.

Syntax

portal http-defense enable

undo portal http-defense enable

Default

Portal HTTP and HTTPS attack defense is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

If a user generates a lot of HTTP and HTTPS requests before passing portal authentication, the HTTP and HTTPS requests will use much resources of the device, causing authentication delay or failure.

Use this feature to avoid high resource usage caused by excessive HTTP and HTTPS requests from unauthenticated portal users.

Examples

# Enable portal HTTP and HTTPS attack defense.

<Sysname> system-view

[Sysname] portal http-defense enable

portal http-defense max-ip-number

Use portal http-defense max-ip-number to set the maximum number of monitored destination IP addresses in portal HTTP and HTTPS attack defense.

Use undo portal http-defense max-ip-number to restore the default.

Syntax

portal http-defense max-ip-number max-ip-number

undo portal http-defense max-ip-number

Default

The maximum number of destination IP addresses that can be monitored by portal HTTP and HTTPS attack defense is 4096.

Views

System view

Predefined user roles

network-admin

Parameters

max-ip-number: Specifies the maximum number of monitored destination IP addresses in portal HTTP and HTTPS attack defense. The value range for this argument is 1 to 8000.

Usage guidelines

This command sets the maximum number of destination IP addresses that can be monitored by the device for portal HTTP and HTTPS attack defense.

Examples

# Set the maximum number of monitored destination IP addresses to 2000 for portal HTTP and HTTPS attack defense.

<Sysname> system-view

[Sysname] portal http-defense max-ip-number 2000

Related commands

portal http-defense

portal ipv6 layer3 source

Use portal ipv6 layer3 source to configure an IPv6 portal authentication source subnet.

Use undo portal ipv6 layer3 source to delete IPv6 portal authentication source subnets.

Syntax

portal ipv6 layer3 source ipv6-network-address prefix-length

undo portal ipv6 layer3 source [ ipv6-network-address ]

Default

No IPv6 portal authentication source subnet is configured. Portal users from any IPv6 subnet must pass portal authentication.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-network-address: Specifies an IPv6 portal authentication source subnet address.

prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.

Usage guidelines

With IPv6 authentication source subnets configured, only packets from IPv6 users on the authentication source subnets can trigger portal authentication. If an unauthenticated IPv6 user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.

If you do not specify the ipv6-network-address argument in the undo portal ipv6 layer3 source command, this command deletes all IPv6 portal authentication source subnets on the interface.

Only cross-subnet authentication supports authentication source subnets.

Examples

# Configure an IPv6 portal authentication source subnet of 1::1/16 on GigabitEthernet 3/1/1. Only portal users from subnet 1::1/16 trigger portal authentication.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname–GigabitEthernet3/1/1] portal ipv6 layer3 source 1::1 16

Related commands

display portal

portal ipv6 user-detect

Use portal ipv6 user-detect to enable online detection of IPv6 portal users.

Use undo portal ipv6 user-detect to disable online detection of IPv6 portal users.

Syntax

portal ipv6 user-detect type { icmpv6 | nd } [ retry retries ] [ interval interval ] [ idle time ]

undo portal ipv6 user-detect

Default

Online detection of IPv6 portal users is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

type: Specifies the detection type.

· icmpv6—ICMPv6 detection.

· nd—ND detection.

retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.

interval interval: Sets a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds.

idle time: Sets the user idle timeout in the range of 60 to 3600 seconds. The default idle timeout is 180 seconds. When the timeout expires, online detection of portal users is started.

Usage guidelines

If the device receives no packets from a portal user within the idle time, the device detects the user's online status as follows:

· ICMPv6 detection—Sends ICMPv6 requests to the user at configurable intervals to detect the user status.

¡ If the device receives a reply within the maximum number of detection attempts, it considers that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires.

¡ If the device receives no reply after the maximum number of detection attempts, the device logs out the user.

· ND detection—Sends ND requests to the user and detects the ND entry status of the user at configurable intervals.

¡ If the ND entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ND entry. Then the device resets the idle timer and repeats the detection process when the timer expires.

¡ If the ND entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user.

Direct authentication and re-DHCP authentication support both ND detection and ICMPv6 detection. Cross-subnet authentication only supports ICMPv6 detection.

If firewall policies on the access device filter out ICMPv6 packets, ICMPv6 detection might fail and result in the logout of portal users. Make sure the access device does not block ICMPv6 packets before you enable ICMPv6 detection on an interface.

Examples

# Enable online detection of IPv6 portal users on GigabitEthernet 3/1/1. Configure the detection type as ICMPv6, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname–GigabitEthernet3/1/1] portal ipv6 user-detect type icmpv6 retry 5 interval 10 idle 300

Related commands

display portal

portal layer3 source

Use portal layer3 source to configure an IPv4 portal authentication source subnet.

Use undo portal layer3 source to delete IPv4 portal authentication source subnets.

Syntax

portal layer3 source ipv4-network-address { mask-length | mask }

undo portal layer3 source [ ipv4-network-address ]

Default

No IPv4 portal authentication source subnet is configured. Portal users from any IPv4 subnet must pass portal authentication.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv4-network-address: Specifies an IPv4 portal authentication source subnet address.

mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32.

mask: Specifies the subnet mask in dotted decimal format.

Usage guidelines

With IPv4 authentication source subnets configured, only packets from IPv4 users on the authentication source subnets can trigger portal authentication. If an unauthenticated IPv4 user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.

If you do not specify the ipv4-network-address argument in the undo portal layer3 source command, this command deletes all IPv4 portal authentication source subnets on the interface.

Only cross-subnet authentication supports authentication source subnets.

Examples

# Configure an IPv4 portal authentication source subnet of 10.10.10.0/24 on GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname–GigabitEthernet3/1/1] portal layer3 source 10.10.10.0 24

Related commands

display portal

portal local-web-server

Use portal local-web-server to create an HTTP- or HTTPS-based local portal Web service and enter its view, or enter the view of the existing HTTP- or HTTPS-based local portal Web service.

Use undo portal local-web-server to delete the HTTP- or HTTPS-based local portal Web service.

Syntax

portal local-web-server { http | https ssl-server-policy policy-name [ tcp-port port-number ] }

undo portal local-web-server { http | https }

Default

No local portal Web service exists.

Views

System view

Predefined user roles

network-admin

Parameters

http: Specifies the HTTP-based local portal Web service, which uses HTTP to exchange authentication information with clients.

https: Specifies the HTTPS-based local portal Web service, which uses HTTPS to exchange authentication information with clients.

ssl-server-policy policy-name: Specifies an existing SSL server policy for HTTPS. The policy name is a case-insensitive string of 1 to 31 characters.

tcp-port port-number: Specifies the listening TCP port number for the HTTPS-based local portal Web service. The value range for the port-number argument is 1 to 65535. The default port number is 443.

Usage guidelines

In the local portal Web service, the access device also acts as the portal Web server and the portal authentication server. No external portal Web server and portal authentication server are needed.

For an interface to use the local portal Web service, the URL of the portal Web server specified for the interface must meet the following requirements:

· The IP address in the URL must be the IP address of a Layer 3 interface (except 127.0.0.1) on the device, and the IP address must be reachable to portal clients.

· The URL must be ended with /portal/. For example: http://1.1.1.1/portal/.

You cannot delete an SSL server policy by using the undo ssl server-policy command when the policy is associated with HTTPS.

To specify a new SSL server policy for HTTPS, first execute the undo form of this command to delete the existing HTTPS-based local portal Web service.

When you specify the listening TCP port number for the HTTPS-based local portal Web service, follow these restrictions and guidelines:

· For HTTPS-based local portal Web service and other services that use HTTPS:

¡ If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.

¡ If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.

· Do not configure the HTTPS listening TCP port number as the port number used by a known protocol (except HTTPS) or other service.

· Do not configure the same TCP port number for HTTP-based local portal Web service and HTTPS-based local portal Web service.

Examples

# Create an HTTP-based local portal Web service and enter its view.

<Sysname> system-view

[Sysname] portal local-web-server http

# Create an HTTPS-based local portal Web service and associate SSL server policy policy1 with the service.

<Sysname> system-view

[Sysname] portal local-web-server https ssl-server-policy policy1

# Change the associated SSL server policy to policy2.

[Sysname] undo portal local-web-server https

[Sysname] portal local-web-server https ssl-server-policy policy2

# Create an HTTPS-based local portal Web service. In the service, the associated SSL server policy is policy1 and the listening port number is 442.

<Sysname> system-view

[Sysname] portal local-web-server https ssl-server-policy policy1 tcp-port 442

[Sysname-portal-local-websvr-https] quit

Related commands

default-logon-page

portal local-web-server

ssl server-policy

portal mac-trigger-proxy ip

Use portal mac-trigger-proxy ip to specify the portal proxy for MAC-binding servers.

Use undo portal mac-trigger-proxy ip to restore the default.

Syntax

portal mac-trigger-proxy ip ip-address [ port port-number ]

undo portal mac-trigger-proxy ip

Default

No portal proxy is specified for MAC binding servers.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of the portal proxy for MAC binding servers.

port port-number: Specifies the UDP port number on which the portal proxy listens for the packets from the access device. The value range for the port-number argument is 1 to 65535, and the default port number is 50100.

Examples

# Configure the portal proxy IP address as 192.168.0.111 and port number as 4000 for MAC binding servers.

<Sysname> system-view

[Sysname] portal mac-trigger-proxy ip 192.168.0.111 port 4000

portal mac-trigger-server

Use portal mac-trigger-server to create a MAC binding server and enter its view, or enter the view of an existing MAC binding server.

Use undo portal mac-trigger-server to delete the MAC binding server.

Syntax

portal mac-trigger-server server-name

undo portal mac-trigger-server server-name

Default

No MAC binding servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a MAC binding server name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

After you create a MAC binding server, you can configure MAC binding server parameters, such as the server's IP address and the free-traffic threshold.

Examples

# Create the MAC binding server mts and enter its view.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts]

Related commands

display mac-trigger-server

portal apply mac-trigger-server

portal max-user

Use portal max-user to set the maximum number of total portal users allowed in the system.

Use undo portal max-user to restore the default.

Syntax

portal max-user max-number

undo portal max-user

Default

The total number of portal users allowed in the system is not limited.

Views

System view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of total portal users in the system. The value range for this argument is 1 to 4294967295.

Usage guidelines

If you configure the maximum total number smaller than the number of current online portal users on the device, this command still takes effect. The online users are not affected by this command, but the system forbids new portal users to log in.

This command sets the maximum number of online IPv4 and IPv6 portal users in all.

Make sure the total number of the maximum IPv4 and IPv6 portal users allowed on all interfaces does not exceed the system-allowed maximum number. Otherwise, the exceeding portal users will not be able to log in to the device.

Examples

# Set the maximum number of online portal users allowed in the system to 100.

<Sysname> system-view

[Sysname] portal max-user 100

Related commands

display portal user

portal { ipv4-max-user | ipv6-max-user }

portal nas-id profile

Use portal nas-id-profile to specify a NAS-ID profile for an interface.

Use undo portal nas-id-profile to restore the default.

Syntax

portal nas-id-profile profile-name

undo portal nas-id-profile

Default

No NAS-ID profile is specified for an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

profile-name: Specifies the name of a NAS-ID profile, a case-insensitive string of 1 to 31 characters.

Usage guidelines

The specified NAS-ID profile takes effect only if NAS-ID and VLAN bindings exist in the NAS-ID profile. To configure a NAS-ID profile, use the aaa nas-id profile command. To configure a NAS-ID and VLAN binding in a NAS-ID profile, use the nas-id bind command.

For an interface, the NAS-ID profile specified by using the portal nas-id-profile command takes precedence over the NAS-ID profile configured by using the aaa nas-id-profile command.

If an interface is specified with a NAS-ID profile, the interface prefers to use the bindings defined in the profile.

If no NAS-ID profile is specified for an interface or no matching binding is found in the specified profile, the device uses the device name as the interface NAS-ID.

Examples

# Specify the NAS-ID profile aaa for GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname–GigabitEthernet3/1/1] portal nas-id-profile aaa

Related commands

aaa nas-id profile

portal nas-port-id format

Use portal nas-port-id format to specify the NAS-Port-ID attribute format.

Use undo portal nas-port-id format to restore the default.

Syntax

portal nas-port-id format { 1 | 2 | 3 | 4 | custom { c-vid [ delimiter ] | interface-type [ delimiter ] | port [ delimiter ] | slot [ delimiter ] | subslot [ delimiter ] | s-vid [ delimiter ] | string string [ delimiter ] | vxlan-id [ delimiter ] } * }

undo portal nas-port-id format

Default

The format for the NAS-Port-ID attribute is format 2.

Views

System view

Predefined user roles

network-admin

Parameters

1: Specifies format 1 for the NAS-Port-Id attribute.

2: Specifies format 2 for the NAS-Port-Id attribute.

3: Specifies format 3 for the NAS-Port-Id attribute.

4: Specifies format 4 for the NAS-Port-Id attribute.

custom: Specifies a custom format for the NAS-Port-Id attribute.

c-vid: Includes the inner VLAN ID of user packets.

interface-type: Includes the access interface type.

port: Includes the access port number.

s-vid: Includes the outer VLAN ID of user packets.

slot: Includes the number of the slot the user accesses.

subslot: Includes the number of the subslot the user accesses.

string string: Includes a custom string, a case-sensitive string of 1 to 63 characters. The custom string cannot contain a question mark (?).

vxlan-id: Includes the VXLAN ID to which user packets belong.

delimiter: Specifies an attribute field delimiter. The delimiter can be any character except question mark (?). If you do not specify a delimiter, the attribute fields are not separated.

Usage guidelines

The NAS-Port-Id format supported by RADIUS servers varies by vendor. Use this command to specify the format of the NAS-Port-Id attribute in the RADIUS packets sent for portal users to the RADIUS server. The device then automatically constructs a value for the NAS-Port-Id attribute in the specified format to meet the RADIUS server requirements.

The NAS-Port-Id attribute formats include predefined formats (format 1, 2, 3, and 4) and the custom format. For a predefined format, the contents are fixed and cannot be modified. For a custom format, you can specify fields to be carried in the NAS-Port-Id attribute and a delimiter to separate these fields.

Format 1 contains three space-separated strings: interface-type port-location access-node-id. Spaces are not allowed within a string.

· The interface-type string specifies the interface type of the NAS port. Available options include:

¡ eth—Common Ethernet interface.

¡ trunk—Ethernet trunk interface.

¡ 0—The interface type information will be reported by the access node to the BRAS.

· The port-location string represents the location of the access line on the BRAS. Its format is NAS_slot/NAS_subslot/NAS_port:[VXLAN.]XPI.XCI.

Field	Description
NAS_slot	Slot number of the BRAS, in the range of 0 to 31.
NAS_subslot	Subslot number of the BRAS, in the range of 0 to 31.
NAS_Port	Port number of the BRAS, in the range of 0 to 63.
VXLAN	Optional. VXLAN ID.
XPI.XCI	For Ethernet interfaces or Ethernet trunk interfaces: · XPI is PVLAN in the range of 0 to 4095. This field is set to 4096 if there is no PVLAN. · XCI is CVLAN in the range of 0 to 4095. This field is set to 4096 if the user is not assigned to a VLAN as in the situation where the end user device is directly connected to a BRAS port.

For the access node to report its access line information to the BRAS, all fields will be set to 0s except for the XPI and XCI fields.

· The access-node-id string specifies the attributes of the BRAS. Its format is AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port:ANI_XPI.ANI_XCI, in which the :ANI_XPI.ANI_XCI portion is optional.

Field	Description
AccessNodeIdentifier	Identifier description of the access node, a string not longer than 50 characters without spaces.
ANI_rack	Rack number of the access node, in the range of 0 to 15.
ANI_frame	Frame number of the access node, in the range of 0 to 31.
ANI_slot	Slot number of the access node, in the range of 0 to 127.
ANI_subslot	Subslot number of the access node, in the range of 0 to 31.
ANI_port	Port number of the access node, in the range of 0 to 255.
ANI_XPI.ANI_XCI	Optional. This field is mainly used to carry CPE-side service information, identifying the further service type requirement. For Ethernet interfaces or Ethernet trunk interfaces: · ANI_XPI is PVLAN in the range of 0 to 4095. This field is set to 4096 if there is no PVLAN. · ANI_XCI is CVLAN in the range of 0 to 4095. This field is set to 4096 if the user is not assigned to a VLAN as in the situation where the end user device is directly connected to a BRAS port.

If the device does not have rack, frame, or subslot information, 0 is padded in the corresponding field.

· Examples of format 1:

NAS-Port-Id	Description
eth 31/31/7:1234.2345 0/0/0/0/0/0	The subscriber interface type is Ethernet. The port location information is as follows: · The slot number is 31. · The subslot number is 31. · The port number is 7. · The PVLAN is 1234 and the CVLAN is 2345.
eth 31/31/7:4096.2345 0/0/0/0/0/0	The subscriber interface type is Ethernet. The port location information is as follows: · The slot number is 31. · The subslot number is 31. · The port number is 7. · The VLAN ID is 2345.
eth 31/31/7:4096.2345 guangzhou001/1/31/63/31/127	The subscriber interface type is Ethernet. The port location information is as follows: · The slot number is 31. · The subslot number is 31. · The port number is 7. · The VLAN ID is 2345. The BRAS attribute information is as follows: · The access node identifier of the DSLAM is guangzhou001. · The rack number is 1. · The frame number is 31. · The slot number is 63. · The subslot number is 31. · The port number is 127.

Format 2 is SlotID00IfNOVlanID.

· SlotID—Slot number, a string of 2 characters.

· IfNO—Interface number, a string of 3 characters.

· VlanID—VLAN ID, a string of 9 characters.

Format 3 is SlotID00IfNOVlanIDDHCPoption.

· SlotID—Slot number, a string of 2 characters.

· IfNO—Interface number, a string of 3 characters.

· VlanID—VLAN ID, a string of 9 characters.

· DHCPoption—DHCP option 82 is appended for IPv4 users and DHCP option 18 is appended for IPv6.

Format 4 is slot=**;subslot=**;port=**;vlanid=**;vlanid2=**.

· For non-VLAN interfaces, the slot=**;subslot=**;port=**;vlanid=0 format is used.

· For interfaces that terminate only the outermost VLAN tag, the slot=**;subslot=**;port=**;vlanid=** format is used.

The NAS-Port-Id attribute in a custom format contains only the fields and delimiters that you specified. For example, execute the portal nas-port-id format custom slot @ subslot @ port command. The NAS-Port-Id attribute contains the slot number, subslot number, and port number in sequence and these fields are separated by at sign (@).

Examples

# Set the format of the NAS-Port-ID attribute to format 1.

<Sysname> system-view

[Sysname] portal nas-port-id format 1

portal pre-auth ip-pool

Use portal [ ipv6 ] pre-auth ip-pool to specify a preauthentication IP address pool for portal users.

Use undo portal [ ipv6 ] pre-auth ip-pool to restore the default.

Syntax

portal [ ipv6 ] pre-auth ip-pool pool-name

undo portal [ ipv6 ] pre-auth ip-pool

Default

No preauthentication IP address pool is specified for portal users.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users.

pool-name: Specifies an IP address pool by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You must use this command to specify a preauthentication IP address pool on a portal-enabled interface in the following situation:

· Portal users access the network through a subinterface of the portal-enabled interface.

· The subinterface does not have an IP address.

· Portal users need to obtain IP addresses through DHCP.

DHCP assigns an IP address from the specified IP address pool to a user. Then, the user can use this IP address to perform portal authentication.

The specified IP address pool takes effect when the following requirements are met:

· The direct portal authentication mode is used on the interface.

· The specified IP address pool must have existed and been correctly configured.

Examples

# Create the IPv4 address pool abc for GigabitEthernet 3/1/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal pre-auth ip-pool abc

Related commands

dhcp server ip-pool

display portal

ipv6 dhcp pool

portal pre-auth policy

Use portal pre-auth policy to create a portal preauthentication policy and enter its view, or enter the view of an existing portal preauthentication policy.

Use undo portal pre-auth policy to delete a portal preauthentication policy.

Syntax

portal pre-auth policy policy-name

undo portal pre-auth policy policy-name

Default

No portal preauthentication policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specify a portal preauthentication policy by its name, a case-insensitive string of 1 to 64 characters.

Usage guidelines

A portal preauthentication policy defines attributes (such as ACL, user profile, and CAR) assigned to preauthentication portal users.

If you modify a user attribute (or its contents) in a portal preauthentication policy, the modification immediately takes effect on the policy-applied interface for preauthentication users.

You can execute this command multiple times to create multiple portal preauthentication policies.

Examples

# Create a portal preauthentication policy named abc and enter its view.

<Sysname> system-view

[Sysname] portal pre-auth policy abc

[Sysname-pre-auth-abc]

Related commands

user-attribute

portal roaming enable

Use portal roaming enable to enable portal roaming.

Use undo portal roaming enable to disable portal roaming.

Syntax

portal roaming enable

undo portal roaming enable

Default

Portal roaming is disabled. An online portal user cannot roam in its VLAN.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Portal roaming applies only to portal users that log in from VLAN interfaces.

You cannot change the portal roaming configuration when online users or preauthentication portal users are present on the device.

If portal roaming is enabled, an online portal user can access network resources from any Layer 2 port in its local VLAN. If portal roaming is disabled, the portal user can access network resources only from the Layer 2 port on which it passes authentication.

Examples

# Enable portal roaming.

<Sysname> system-view

[Sysname] portal roaming enable

portal server

Use portal server to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server.

Use undo portal server to delete the specified portal authentication server.

Syntax

portal server server-name

undo portal server server-name

Default

No portal authentication servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

In portal authentication server view, you can configure the following parameters and features for the portal authentication server:

· IP address of the server.

· Destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.

· MPLS L3VPN where the portal authentication server resides.

· Pre-shared key for communication between the access device and the server.

· Server detection feature.

You can configure multiple portal authentication servers for an access device.

Examples

# Create the portal authentication server pts and enter its view.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts]

Related commands

display portal server

portal traffic-backup threshold

Use portal traffic-backup threshold to set the user traffic backup threshold.

Use undo portal traffic-backup threshold to restore the default.

Syntax

portal traffic-backup threshold value

undo portal traffic-backup threshold

Default

The user traffic backup threshold is 10 MB.

Views

System view

Predefined user roles

network-admin

Parameters

value: Specifies the user traffic backup threshold, in MB. The value range for this argument is 0 to 100000. If you set the threshold to 0 MB, the device backs up user traffic in real time.

Usage guidelines

The device backs up traffic for a user when the user's traffic reaches the user traffic backup threshold. A smaller threshold provides more accurate backup for user traffic. However, when a large number of users exist, a small threshold results in frequent user traffic backups, affecting the user online, offline, and accounting processes. Set a proper threshold to balance between service performance and traffic backup accuracy.

Examples

# Set the user traffic backup threshold to 10240 MB.

<Sysname> system-view

[Sysname] portal traffic-backup threshold 10240

portal user log enable

Use portal user log enable to enable portal user login/logout logging.

Use portal user log enable to disable portal user login/logout logging.

Syntax

portal user log enable [ abnormal-logout | failed-login | normal-logout | successful-login ] *

undo portal user log enable [ abnormal-logout | failed-login | normal-logout | successful-login ] *

Default

Portal user login/logout logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

abnormal-logout: Enables logging for abnormal logouts of portal users.

failed-login: Enables logging for failed logins of portal users.

normal-logout: Enables logging for normal logouts of portal users.

successful-login: Enables logging for successful logins of portal users.

Usage guidelines

This feature logs portal user login and logoff events. Such a log message records the username, user IP address and MAC address, interface, VLAN, and login failure reason. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see the network management and monitoring configuration guide for the device.

Examples

# Enable logging for successful logins of portal users.

<Sysname> system-view

[Sysname] portal user log enable successful-login

Related commands

portal packet log enable

portal redirect log enable

portal user-block failed-times

Use portal user-block failed-times to configure the device to block portal users that fail portal authentication.

Use undo portal user-block failed-times to configure the device not to block portal users that fail portal authentication.

Syntax

portal user-block failed-times failed-times period period

undo portal user-block failed-times

Default

The device does not block portal users that fail portal authentication.

Views

System view

Predefined user roles

network-admin

Parameters

failed-times: Specifies the maximum number of consecutive authentication failures allowed for a portal user in the specified failure detection period. The value range for this argument is 0 to 10. If you specify value 0 for this argument, the device does not block portal users that fail portal authentication.

period period: Specifies the authentication failure detection period, in the range of 1 to 120 minutes.

Usage guidelines

This feature prevents exhaustive password cracking. It blocks a portal user if the user consecutively fails authentication for the specified times within the failure detection period. All authentication requests from the user are dropped by the device till the blocking times out. To set the blocking timeout time, use the portal user-block reactive command.

This feature does not block preauthentication portal users.

Examples

# Configure the device to block a portal user if the user consecutively fails portal authentication twice within 100 minutes.

<Sysname> system-view

[Sysname] portal user-block failed-times 2 period 100

Related commands

portal user-block reactive

Use portal user-block reactive to set the portal user blocking timeout time.

Use undo portal user-block reactive to restore the default.

Syntax

portal user-block reactive period

undo portal user-block reactive

Default

The portal user blocking timeout time is 30 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

period: Specifies the blocking timeout time, in the range of 0 to 1000 minutes. If you specify value 0 for this argument, blocked portal users cannot perform portal authentication again.

Usage guidelines

A blocked portal user can perform portal authentication again when the blocking timeout time expires.

Examples

# Set the portal user blocking timeout time to 20 minutes.

<Sysname> system-view

[Sysname] portal user-block reactive 20

Related commands

portal user-block failed-times

portal user-detect

Use portal user-detect to enable online detection of IPv4 portal users.

Use undo portal user-detect to disable online detection of IPv4 portal users.

Syntax

portal user-detect type { arp | icmp } [ retry retries ] [ interval interval ] [ idle time ]

undo portal user-detect

Default

Online detection of IPv4 portal users is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

type: Specifies the detection type.

· arp—ARP detection.

· icmp—ICMP detection.

retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.

interval interval: Sets a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds.

idle time: Sets a user idle timeout in the range of 60 to 3600 seconds. The default idle timeout is 180 seconds. When the timeout expires, online detection of IPv4 portal users is started.

Usage guidelines

If the device receives no packets from a portal user within the configured idle time, the device detects the user's online status as follows:

· ICMP detection—Sends ICMP requests to the user at configurable intervals to detect the user status.

¡ If the device receives no reply after the maximum number of detection attempts, the device logs out the user.

· ARP detection—Sends ARP requests to the user and detects the ARP entry status of the user at configurable intervals.

¡ If the ARP entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ARP entry. Then the device resets the idle timer and repeats the detection process when the timer expires.

¡ If the ARP entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user.

Direct authentication and re-DHCP authentication support both ARP detection and ICMP detection. Cross-subnet authentication only supports ICMP detection.

If firewall policies on the access device filter out ICMP packets, ICMP detection might fail and result in the logout of portal users. Make sure the access device does not block ICMP packets before you enable ICMP detection on an interface.

Examples

# Enable online detection of IPv4 portal users on GigabitEthernet 3/1/1. Configure the detection type as ICMP, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname–GigabitEthernet3/1/1] portal user-detect type icmp retry 5 interval 10 idle 300

Related commands

display portal

portal user-dhcp-only

Use portal user-dhcp-only to allow only users with DHCP-assigned IP addresses to pass portal authentication.

Use undo portal user-dhcp-only to restore the default.

Syntax

portal [ ipv6 ] user-dhcp-only

undo portal [ ipv6 ] user-dhcp-only

Default

Both users with DHCP-assigned IP addresses and users with static IP addresses can pass portal authentication to come online.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users.

Usage guidelines

With this feature enabled, users with static IP addresses cannot pass portal authentication to come online.

This command takes effect only when DHCP clients and the DHCP server reside in the same physical network segment.

To ensure that IPv6 users can pass portal authentication when this feature is enabled, disable the temporary IPv6 address feature on terminal devices. Otherwise, IPv6 users will use temporary IPv6 addresses to access the IPv6 network and will fail portal authentication.

Examples

# Allow only users with DHCP-assigned IP addresses on GigabitEthernet 3/1/1 to pass portal authentication.

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] portal user-dhcp-only

Related commands

display portal

portal user-rule assign-check enable

Use portal user-rule assign-check enable to enable the device to check the issuing of category-2 portal filtering rules.

Use undo portal user-rule assign-check enable to disable checking on issuing of category-2 portal filtering rules.

Syntax

portal user-rule assign-check enable

undo portal user-rule assign-check enable

Default

The device does not check the issuing of category-2 portal filtering rules.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Category-2 portal filtering rules permit authenticated users to access authorized network resources. By default, the device allows an authenticated user to come online as long as a card has issued a category-2 portal filtering rule for the user. Users coming online from global interfaces might fail to access network resources because some member ports might not have category-2 rules for the users. To resolve this issue, enable the device to check the issuing of category-2 portal filtering rules. Then, the device allows users to come online only when all cards have issued category-2 portal filtering rules for the users.

As a best practice, enable this feature if portal authentication is enabled on a global interface.

To view category-2 portal filtering rules, execute the display portal rule dynamic command.

Examples

# Enable the device to check the issuing of category-2 portal filtering rules.

<Sysname> system-view

[Sysname] portal user-rule assign-check enable

Related commands

display portal rule

portal web-proxy port

Use portal web-proxy port to specify the port number of a Web proxy server.

Use undo portal web-proxy port to delete port numbers of Web proxy servers.

Syntax

portal web-proxy { http | https } port port-number

undo portal web-proxy { { http | https } port port-number | all-port }

Default

No port numbers of Web proxy servers are specified. Proxied HTTP and HTTPS requests are dropped.

Views

System view

Predefined user roles

network-admin

Parameters

http: Specifies the HTTP service.

https: Specifies the HTTPS service.

port-number: Specifies the TCP port number of a Web proxy server. The value range for this argument is 1 to 65535. Do not specify TCP port number 80 or 443 because 80 and 443 are port numbers reserved for portal.

all-port: Specifies all port numbers of Web proxy servers.

Usage guidelines

To allow HTTP or HTTPS requests proxied by Web proxy servers to trigger portal authentication, specify the port numbers of the Web proxy servers on the device. If a Web proxy server port is not specified on the device, HTTP or HTTPS requests proxied by the Web proxy server are dropped, and portal authentication cannot be triggered.

You can configure this command multiple times to specify a maximum of 64 Web proxy server ports for HTTP and HTTPS.

Do not specify the same Web proxy server port for HTTP and HTTPS.

If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover Web proxy servers, you must perform the following tasks on the device:

· Specify the port numbers of the Web proxy servers on the device.

· Configure portal-free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication.

If portal users enable Web proxy in their browsers, the users must add the IP address of the portal authentication server as a proxy exception in their browsers. Then, HTTP or HTTPS packets that the users send to the portal authentication server will not be sent to Web proxy servers.

Examples

# Specify TCP port number 8080 as a Web proxy server port that allows HTTP requests to trigger portal authentication.

<Sysname> system-view

[Sysname] portal web-proxy http port 8080

Related commands

portal enable method

portal web-server

Use portal web-server to create a portal Web server and enter its view, or enter the view of an existing portal Web server.

Use undo portal web-server to delete a portal Web server.

Syntax

portal web-server server-name

undo portal web-server server-name

Default

No portal Web servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

The portal Web server pushes portal authentication pages to portal users during authentication. The access device redirects HTTP or HTTPS requests of unauthenticated portal users to the portal Web server. In portal Web server view, you can configure the URL and URL parameters for the portal Web server and the portal Web server detection feature.

Examples

# Create the portal Web server wbs and enter its view.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs]

Related commands

display portal web-server

portal apply web-server

refresh portal

Use refresh portal to refresh Rule ARP or Rule ND entries according to the current online portal user information.

Syntax

refresh portal { rule-arp | rule-nd }

Views

User view

Predefined user roles

network-admin

Parameters

rule-arp: Refreshes Rule ARP entries.

rule-nd: Refreshes Rule ND entries.

Usage guidelines

Normally, a Rule ARP or ND entry generated for a portal client will be deleted immediately after the portal client logs out. In some cases, however, the portal user information is deleted but the corresponding Rule entry is not deleted after a portal client logs out. Such inconsistency between portal users and Rule entries might cause subsequent login failures.

To resolve this issue, execute the refresh portal command to refresh Rule ARP or ND entries according to the current online portal user information. The Rule ARP or ND entries that do not have matching online portal user information are deleted.

You can use the display portal user all command to view portal user information, and use display arp all and display ipv6 neighbors commands to view Rule entry information.

To ensure the login and logout processing performance of the device, do not execute the refresh portal command when a large number of portal users log in or out concurrently.

Examples

# Refresh Rule ARP entries according to the current portal user information.

<Sysname> refresh portal rule-arp

Related commands

display arp

display ipv6 neighbors

reset portal http-defense attacked-ip

Use reset portal http-defense attacked-ip to clear statistics for attacked destination IP addresses in portal HTTP and HTTPS attack defense.

Syntax

In standalone mode:

reset portal http-defense attacked-ip [ slot slot-number ]

In IRF mode:

reset portal http-defense attacked-ip [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears attacked destination IP address statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears attacked destination IP address statistics for all cards. (In IRF mode.)

Examples

# Clear statistics for attacked destination IP addresses in portal HTTP and HTTPS attack defense for slot 3.

<Sysname> reset portal http-defense attacked-ip slot 3

Related commands

display portal http-defense attacked-ip

reset portal http-defense blocked-ip

Use reset portal http-defense blocked-ip to clear statistics for blocked destination IP addresses in portal HTTP and HTTPS attack defense.

Syntax

In standalone mode:

reset portal http-defense blocked-ip [ ip ipv4-address | ipv6 ipv6-address ] [ slot slot-number ]

In IRF mode:

reset portal http-defense blocked-ip [ ip ipv4-address | ipv6 ipv6-address ] [ chassis chassis-number slot slot-number ]

Views

User view

Predefined user roles

network-admin

network-operator

Parameters

ip ipv4-address: Specifies a blocked destination IPv4 address.

ipv6 ipv6-address: Specifies a blocked destination IPv6 address.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears blocked destination IP address statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears blocked destination IP address statistics for all cards. (In IRF mode.)

Usage guidelines

After you clear statistics for blocked destination IP addresses in portal HTTP and HTTPS attack defense, the device unblocks the destination IP addresses.

If you do not specify a destination IPv4 or IPv6 address, this command clears statistics for all blocked destination IPv4 and IPv6 addresses in portal HTTP and HTTPS attack defense.

Examples

# Clear statistics for blocked destination IP addresses in portal HTTP and HTTPS attack defense for slot 3.

<Sysname> reset portal http-defense blocked-ip 1.1.1.1 slot 3

Related commands

display portal http-defense blocked-ip

reset portal ip-subscriber message statistics

Use reset portal ip-subscriber message statistics to clear statistics for messages exchanged between portal and IPoE.

Syntax

reset portal ip-subscriber message statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear statistics for messages exchanged between portal and IPoE.

<Sysname> reset portal ip-subscriber message statistics

Related commands

display portal ip-subscriber message statistics

reset portal mac-trigger-server packet statistics

Use reset portal mac-trigger-server packet statistics to clear statistics for messages exchanged between the device and MAC binding servers.

Syntax

reset portal mac-trigger-server packet statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear statistics for messages exchanged between the device and MAC binding servers.

<Sysname> reset portal mac-trigger-server packet statistics

Related commands

display portal mac-trigger-server packet statistics

reset portal packet statistics

Use reset portal packet statistics to clear packet statistics for portal authentication servers.

Syntax

reset portal packet statistics [ server server-name ]

Views

User view

Predefined user roles

network-admin

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify the server server-name argument, this command clears packet statistics for all portal authentication servers.

Examples

# Clear packet statistics for the portal authentication server pts.

<Sysname> reset portal packet statistics server pts

Related commands

display portal packet statistics

server-detect (portal authentication server view)

Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status.

Use undo server-detect to disable portal authentication server detection.

Syntax

server-detect [ timeout timeout ] log

undo server-detect

Default

Portal authentication server detection is disabled.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

timeout timeout: Specifies the detection timeout in the range of 10 to 3600 seconds. The default is 60 seconds.

log: Enables the device to send a log message when it detects the reachability status of the portal authentication server changes. The log message contains the name, the original state, and the current state of the portal authentication server.

Usage guidelines

The portal authentication server detection feature takes effect only when the device has a portal-enabled interface.

The device determines a portal authentication server is reachable if the device receives a correct portal packet from the server before the detection timeout expires.

To test server reachability by detecting heartbeat packets, you must enable the server heartbeat feature on the portal authentication server. Only the IMC portal authentication server supports sending heartbeat packets.

The detection timeout configured on the device must be greater than the server heartbeat interval configured on the portal authentication server.

Examples

# Enable server detection for the portal authentication server pts:

· Set the detection timeout to 600 seconds.

· Configure the device to send a log message if the server reachability status changes.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-detect timeout 600 log

Related commands

portal server

server-detect (portal Web server view)

Use server-detect to enable portal Web server detection.

Use undo server-detect to disable portal Web server detection.

Syntax

server-detect [ interval interval ] [ retry retries ] log

undo server-detect

Default

Portal Web server detection is disabled.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

interval interval: Specifies a detection interval in the range of 10 to 1200 seconds. The default is 20 seconds.

retry retries: Specifies the maximum number of consecutive detection failures, in the range of 1 to 10. The default is 3. If the number of consecutive failed detections reaches this threshold, the device considers the server as unreachable.

log: Enables the device to send a log message when it detects the reachability status of the portal Web server changes. The log message contains the name, the original state, and the current state of the portal Web server.

Usage guidelines

The access device performs server detection independently. No configuration on the portal Web server is required for the detection.

The portal Web server detection feature takes effect only when the URL of the portal Web server is specified and the device has a portal-enabled interface.

Examples

# Enable server detection for the portal Web server wbs:

· Set the detection interval to 600 seconds.

· Set the maximum number of consecutive detection failures to 2.

· Configure the device to send a log message after server reachability status changes.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] server-detect interval 600 retry 2 log

Related commands

portal web-server

server-register

Use server-register to set the interval at which the device registers with a portal authentication server.

Use undo server-register to restore the default.

Syntax

server-register [ interval interval-value ]

undo server-register

Default

The device does not register with a portal authentication server.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

interval interval-value: Specifies the register interval in the range of 1 to 3600 seconds. The default interval is 600 seconds.

Usage guidelines

This feature is typically used in scenarios where a NAT device exists between a portal authentication server and an access device.

Before this feature is used, you must configure a static NAT mapping for each access device on the NAT device. Adding static NAT mappings for access devices requires much workload of the administrator. After this feature is enabled, the access device automatically sends a register packet to the portal authentication server. When the server receives the register packet, it records register information for the access device, including the device name and the IP address and port number after NAT. The register information is used for subsequent authentication information exchanges between the server and the access device. The access device updates its register information on the server by sending register packets at regular intervals.

After this feature is enabled, the access device automatically sends register packets to the portal authentication server. The register packet contains the access device name. After the server receives the register packet, it records register information for the access device, including the device name and the IP address and port number after NAT. The register information is used for subsequent authentication information exchanges between the server and the access device. The access device updates its register information on the server by sending register packets at regular intervals.

Only CMCC portal authentication servers support this feature.

Examples

# Configure the device to register with the portal authentication server at intervals of 120 seconds.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-register interval 120

Related commands

server-type

server-type (portal authentication/Web server view)

Use server-type to specify the type of a portal authentication server or portal Web server.

Use undo server-type to restore the default.

Syntax

server-type { cmcc | imc }

undo server-type

Default

The type of the portal authentication server and portal Web server is IMC.

Views

Portal authentication server view

Portal Web server view

Predefined user roles

network-admin

Parameters

cmcc: Specifies the portal server type as CMCC.

imc: Specifies the portal server type as IMC.

Usage guidelines

Specify the portal server type on the device with the server type the device actually uses.

Examples

# Specify the type of the portal authentication server as cmcc.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-type cmcc

# Specify the type of the portal Web server as cmcc.

<Sysname> system-view

[Sysname] portal web-server pts

[Sysname-portal-websvr-pts] server-type cmcc

Related commands

display portal server

server-type (MAC binding server view)

Use server-type to specify the type of a MAC binding server.

Use undo server-type to restore the default.

Syntax

server-type { cmcc | imc }

undo server-type

Default

The type of the MAC binding server is IMC.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

cmcc: Specifies the MAC binding server type as CMCC.

imc: Specifies the MAC binding server type as IMC.

Examples

# Specify the type of the MAC binding server as cmcc.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] server-type cmcc

tcp-port

Use tcp-port to configure a listening TCP port for the local portal Web service.

Use undo tcp-port to restore the default.

Syntax

tcp-port port-number

undo tcp-port

Default

The listening TCP port number for HTTP is 80. The listening TCP port number for HTTPS is the TCP port number set by using the portal local-web-server command.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

port-number: Specifies the listening TCP port number in the range of 1 to 65535.

Usage guidelines

To use the local portal Web service, make sure the port number in the portal Web server URL and the port number configured in this command are the same.

For successful local portal authentication, follow these guidelines:

· Do not configure the listening TCP port number for the local portal Web service as the port number used by a known protocol. For example, do not specify port numbers 21 and 23, which are used by FTP and Telnet, respectively.

· Do not configure the HTTP listening port number as the default HTTPS listening port number 443.

· Do not configure the HTTPS listening port number as the default HTTP listening port number 80.

· Do not configure the same listening port number for HTTP and HTTPS.

· For the HTTPS-based local portal Web service and other services that use HTTPS:

¡ If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.

¡ If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.

Examples

# Set the HTTP listening port number to 2331 for the HTTP-based local portal Web service.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] tcp-port 2331

Related commands

portal local-web-server

url

Use url to specify a URL for a portal Web server.

Use undo url to restore the default.

Syntax

url url-string

undo url

Default

No URL is specified for a portal Web server.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

url-string: Specifies a URL for the portal Web server, a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command specifies a URL that can be accessed through standard HTTP or HTTPS. The URL should start with http:// or https://. If the URL you specify does not start with http:// or https://, the system considers the URL begins with http:// by default.

Examples

# Configure the URL for portal Web server wbs as http://www.test.com/portal.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] url http://www.test.com/portal

Related commands

display portal web-server

url-parameter

Use url-parameter to configure the parameters carried in the URL of a portal Web server. The access device redirects a portal user by sending the URL with the parameters to the user.

Use undo url-parameter to delete the parameters carried in the URL of the portal Web server.

Syntax

url-parameter param-name { nas-id | nas-port-id | original-url | source-address | source-mac [ encryption { aes | des } key { cipher | simple } string ] | value expression }

undo url-parameter param-name

Default

No URL parameters are configured for a portal Web server.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

param-name: Specifies a URL parameter name, a case-sensitive string of 1 to 32 characters. Content of the parameter is determined by the following keyword you specify.

nas-id: Specifies the NAS-ID.

nas-port-id: Specifies the NAS-Port-ID.

original-url: Specifies the URL of the original webpage that a portal user visits.

source-address: Specifies the user IP address.

source-mac: Specifies the user MAC address.

encryption: Specifies the encryption algorithm to encrypt the MAC address of the user.

aes: Specifies the AES algorithm.

des: Specifies the DES algorithm.

key: Specifies a key for encryption.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:

· If des cipher is specified, the string length is 41 characters.

· If des simple is specified, the string length is 8 characters.

· If aes cipher is specified, the string length is 1 to 73 characters.

· If aes simple is specified, the string length is 1 to 31 characters.

value expression: Specifies a custom case-sensitive string of 1 to 256 characters.

Usage guidelines

You can configure multiple URL parameters.

If you execute this command multiple times to configure the same URL parameter, the most recent configuration takes effect.

After you configure the URL parameters, the access device sends the portal Web server URL with these parameters to portal users. For example, assume that the URL of a portal Web server is http://www.test.com/portal, and you execute the url-parameter userip source-address and url-parameter userurl value http://www.abc.com/welcome commands. Then, the access device sends to the user whose IP address is 1.1.1.1 the URL http://www.test.com/portal?userip=1.1.1.1&userurl=http://www.abc.com/welcome.

When you configure the param-name argument in this command, you must use the URL parameter name supported by the actual portal server. Different portal server types support different URL parameter names.

For example, the IMC server supports parameter names userurl, userip, and usermac for the keywords original-url, source-address, and source-mac, respectively. To carry the user IP information in the portal Web server URL, you must configure the parameter name as userip and specify the source-address keyword.

If you specify the encryption algorithm for a parameter, the redirection URL carries the encrypted value for the parameter. Execute the url-parameter usermac source-mac encryption des key simple 12345678 command. Then the access device sends to the user with MAC address 1111-1111-1111 the URL http://www.test.com/portal?usermac=xxxxxxxxx&userip=1.1.1.1&userurl=http://www.test.com/welcome, where xxxxxxxxx represents the encrypted user MAC address.

Examples

# Configure the URL parameters userip and userurl for the portal Web server wbs. Configure the value of the userip parameter as source-address (the IP addresses of users) and that of the userurl parameter as http://www.abc.com/welcome.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] url-parameter userip source-address

[Sysname-portal-websvr-wbs] url-parameter userurl value http://www.abc.com/welcome

# Configure the URL parameter usermac for the portal Web server wbs. Configure the value of the usermac parameter as source-mac (the MAC addresses of users) and specify DES to encrypt the MAC addresses.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] url-parameter usermac source-mac encryption des key simple 12345678

Related commands

display portal web-server

url

user-attribute

Use user-attribute to configure a user attribute in a portal preauthentication policy.

Use undo user-attribute to delete a user attribute in a portal preauthentication policy.

Syntax

user-attribute { acl acl-number | car { inbound | outbound } cir committed-information-rate [ pir peak-information-rate ] | user-profile profile-name }

undo user-attribute { acl | car { inbound | outbound } | user-profile }

Default

No user attributes exist in a preauthentication policy.

Views

Portal preauthentication policy view

Predefined user roles

network-admin

Parameters

acl acl-number: Specifies an ACL to match traffic for preauthentication portal users. The value range for a basic ACL number is 2000 to 2999 and that for an advanced ACL is 3000 to 3999.

car: Specifies a CAR action for preauthentication portal users.

inbound: Specifies the upload rate of preauthentication portal users.

outbound: Specifies the download rate of preauthentication portal users.

cir committed-information-rate: Specifies the committed information rate in kbps. The value range for the committed-information-rate argument is 8 to 160000000.

pir peak-information-rate: Specifies the peak information rate in kbps. The value range for the peak-information-rate argument is 8 to 160000000. If you do not specify this option, the CAR action does not restrict the peak information rate of users.

user-profile profile-name: Specifies a globally unique user profile by its name, a case-sensitive string of 1 to 31 characters. Valid characters are letters, digits, underscores (_), minus signs (-), and dots (.). The profile name must begin with a letter or a digit, and it cannot be a string of all digits.

Usage guidelines

You can execute this command multiple times to configure multiple user attributes. If you configure a user attribute multiple times, the most recent configuration takes effect.

Examples

# Specify ACL 3000 for portal preauthentication policy abc.

<Sysname> system-view

[Sysname] portal pre-auth policy abc

[Sysname-portal-preauth-policy-abc] user-attribute acl 3000

user-sync

Use user-sync to enable portal user synchronization for a portal authentication server.

Use undo user-sync to disable portal user synchronization for a portal authentication server.

Syntax

user-sync timeout timeout

undo user-sync

Default

Portal user synchronization is disabled for a portal authentication server.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

timeout timeout: Sets a detection timeout for synchronization packets, in the range of 60 to 18000 seconds.

Usage guidelines

After this feature is enabled, the device replies to and periodically detects the synchronization packets from the portal authentication server. In this way, information about online portal users on the device and on the portal authentication server remains consistent.

Portal user synchronization requires that the portal authentication server support the portal user heartbeat feature. Now, only the IMC portal authentication server supports portal user heartbeat. To implement portal user synchronization, you need to configure the user heartbeat feature on the portal authentication server. Make sure the user heartbeat interval configured on the portal authentication server is not greater than the synchronization detection timeout configured on the access device.

Deleting a portal authentication server on the device also deletes the user synchronization configuration for the server.

If you execute this command multiple times, the most recent configuration takes effect.

For information of the users considered as nonexistent on the portal authentication server, the device deletes the information after the configured detection timeout expires.

If the user information from the portal authentication server does not exist on the device, the device encapsulates IP addresses of the users in user heartbeat reply packets to the server. The portal authentication server then deletes the users.

Examples

# Enable portal user synchronization for the portal authentication server pts and set the detection timeout to 600 seconds. If a user has not appeared in the synchronization packets sent by the portal authentication server for 600 seconds, the access device logs out the user.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] user-sync timeout 600

Related commands

portal server

version

Use version to specify the version of the portal protocol.

Use undo version to restore the default.

Syntax

version version-number

undo version

Default

The version of the portal protocol is 1.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

version-number: Specifies the portal protocol version in the range of 1 to 3.

Usage guidelines

The specified portal protocol version must be the that required by the MAC binding server.

Examples

# Configure the device to use portal protocol version 2 to communicate with the MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] version 2

Related commands

display mac-trigger-server

portal mac-trigger-server

vpn-instance

Use vpn-instance to specify the MPLS L3VPN instance to which a portal Web server belongs.

Use undo vpn-instance to restore the default.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

A portal Web server is on the public network.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

A portal Web server belongs to only one MPLS L3VPN instance.

Examples

# Specify the VPN instance abc for portal Web server wbs.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] vpn-instance abc

web-redirect url

Use web-redirect url to enable the Web redirect feature.

Use undo web-redirect url to disable the Web redirect feature.

Syntax

web-redirect [ ipv6 ] url url-string [ interval interval ]

undo web-redirect [ ipv6 ]

Default

The Web redirect feature is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 Web redirect feature. Do not specify this keyword for the IPv4 Web redirect feature.

url url-string: Specifies the URL to which the user is redirected. The URL is required to be complete and begins with http:// or https://, a string of 1 to 256 characters.

interval interval: Specifies the time interval at which the user is redirected to the specified URL. It is in the range of 60 to 86400 seconds. The default interval is 86400 seconds.

Usage guidelines

Do not enable both Web redirect and portal authentication features on an interface. Web redirect does not work when both features are enabled.

With Web redirect enabled on an interface, a user on the interface is first redirected to the specified URL before the user can access an external network through a Web browser. After the specified interval, the user is redirected to the specified URL again.

The Web redirect feature takes effect only on HTTP packets that use the default port number 80.

Examples

# Configure IPv4 Web redirect on GigabitEthernet 3/1/1. Set the redirect URL to http://192.0.0.1 and the interval to 3600 seconds

<Sysname> system-view

[Sysname] interface gigabitethernet 3/1/1

[Sysname-GigabitEthernet3/1/1] web-redirect url http://192.0.0.1 interval 3600

Related commands

display web-redirect rule

16-BRAS Services Command Reference

Portal commands

display portal mac-trigger entry

display portal mac-trigger-server

ip (MAC binding server view)

ip (portal authentication server view)

port (portal authentication server view)

portal fail-permit server

portal layer3 source

server-detect (portal authentication server view)

version

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us