13-User Access and Authentication Command Reference

HomeSupportResource CenterReference GuidesCommand ReferencesH3C Access Controllers Command References(R5426P02)-6W10413-User Access and Authentication Command Reference
05-Portal commands
Title Size Download
05-Portal commands 941.51 KB

Contents

Portal commands· 1

aaa-fail nobinding enable· 1

aging-time· 1

app-id (Facebook authentication server view) 2

app-id (QQ authentication server view) 3

app-id (WeChat authentication server view) 4

app-key (Facebook authentication server view) 5

app-key (QQ authentication server view) 5

app-key (WeChat authentication server view) 6

app-secret 7

authentication-timeout 8

auth-url 9

binding-retry· 10

captive-bypass enable· 10

cloud-binding enable· 11

cloud-server url 12

default-logon-page· 13

display portal 14

display portal authentication-location· 18

display portal auth-error-record· 19

display portal auth-fail-record· 21

display portal captive-bypass statistics· 23

display portal dhcp-lease· 24

display portal dns free-rule-host 25

display portal extend-auth-server 26

display portal local-ac-user 28

display portal local-binding mac-address· 30

display portal logout-record· 31

display portal mac-trigger user 34

display portal mac-trigger-server 35

display portal packet statistics· 37

display portal permit-rule statistics· 42

display portal redirect session· 43

display portal redirect session-record· 45

display portal redirect session-statistics· 47

display portal redirect statistics· 48

display portal roaming-center statistics packet 48

display portal rule· 51

display portal safe-redirect statistics· 57

display portal server 59

display portal user 60

display portal user count 69

display portal web-server 69

display web-redirect rule· 71

exclude-attribute (MAC binding server view) 73

exclude-attribute (portal authentication server view) 75

free-traffic threshold· 76

if-match· 77

if-match temp-pass· 79

ip (MAC binding server view) 81

ip (portal authentication server view) 82

ip (portal roaming center view) 83

ipv6 (portal authentication server view) 85

ipv6 (portal roaming center view) 86

local-binding aging-time· 88

local-binding enable· 89

logon-page bind· 89

logout-notify· 91

mail-domain-name· 92

mail-protocol 92

nas-port-type· 93

port (MAC binding server view) 94

port (portal authentication server view) 94

port (portal roaming center view) 95

portal apply mac-trigger-server 97

portal apply web-server 98

portal authentication-location switchto-central-ac· 99

portal auth-error-record enable· 100

portal auth-error-record export 100

portal auth-error-record max· 101

portal auth-fail-record enable· 104

portal auth-fail-record export 105

portal auth-fail-record max· 106

portal authorization strict-checking· 109

portal captive-bypass optimize delay· 110

portal client-gateway interface· 111

portal client-traffic-report interval 112

portal cloud report interval 112

portal device-id· 113

portal domain· 114

portal dual-ip enable· 114

portal dual-stack enable· 115

portal dual-stack traffic-separate enable· 116

portal enable (interface view) 117

portal enable (service template view) 117

portal extend-auth domain· 118

portal extend-auth-server 119

portal fail-permit server 120

portal fail-permit web-server 121

portal forbidden-rule· 122

portal free-all except destination· 123

portal free-rule· 124

portal free-rule description· 126

portal free-rule destination· 126

portal free-rule source· 128

portal host-check enable· 129

portal idle-cut dhcp-capture enable· 129

portal ipv6 free-all except destination· 130

portal ipv6 user-detect 131

portal local-web-server 132

portal logout-record enable· 134

portal logout-record export 134

portal logout-record max· 136

portal mac-trigger-server 139

portal max-user 139

portal nas-id profile· 140

portal nas-port-id format 141

portal nas-port-type· 143

portal oauth user-sync interval 144

portal outbound-filter enable· 145

portal packet log enable· 145

portal pre-auth ip-pool 146

portal redirect log enable· 147

portal redirect max-session per-user 148

portal refresh enable· 148

portal roaming-center 149

portal roaming enable· 151

portal safe-redirect default-action· 152

portal safe-redirect enable· 153

portal safe-redirect forbidden-file· 154

portal safe-redirect forbidden-url 155

portal safe-redirect method· 156

portal safe-redirect permit-url 156

portal safe-redirect user-agent 157

portal server 158

portal temp-pass enable· 159

portal traffic-accounting disable· 160

portal traffic-backup threshold· 161

portal user log enable· 161

portal user-detect 162

portal user-dhcp-only· 163

portal user-log traffic-separate· 164

portal user-logoff after-client-offline enable· 165

portal user-logoff ssid-switch enable· 165

portal web-server 166

portal wifidog user-sync interval 167

portal { bas-ip | bas-ipv6 } 167

portal { ipv4-max-user | ipv6-max-user } 169

redirect-url 169

reset portal auth-error-record· 170

reset portal auth-fail-record· 171

reset portal captive-bypass statistics· 172

reset portal local-binding mac-address· 173

reset portal logout-record· 173

reset portal packet statistics· 174

reset portal redirect session-record· 175

reset portal redirect session-statistics· 175

reset portal redirect statistics· 176

reset portal roaming-center statistics packet 177

reset portal safe-redirect statistics· 178

response-timeout 179

retry· 180

roaming-center enable· 183

server-detect (portal authentication server view) 185

server-detect (portal Web server view) 186

server-detect url 187

server-register 188

server-type (MAC binding server view) 189

server-type (portal authentication server view/portal Web server view) 189

shop-id· 190

subscribe-required enable· 191

tcp-port 192

url 193

url-parameter 193

user-agent 196

user-password modify enable· 196

user-sync· 197

user-traffic deny· 198

version· 200

web-redirect url 200

 


Portal commands

The WX1800H series, WX2500H series, and WX3000H series access controllers do not support parameters or commands that are available only in IRF mode.

aaa-fail nobinding enable

Use aaa-fail nobinding enable to enable AAA failure unbinding.

Use undo aaa-fail nobinding enable to restore the default.

Syntax

aaa-fail nobinding enable

undo aaa-fail nobinding enable

Default

AAA failure unbinding is disabled.

Views

MAC binding server view

Predefined user roles

network-admin

Usage guidelines

If a portal user fails AAA in MAC-trigger authentication, the user cannot trigger authentication before the MAC-trigger entry of the user ages out. After the MAC-trigger entry ages out, the user triggers MAC-trigger authentication when it accesses the network.

After AAA failure unbinding is enabled, the device sets the MAC-trigger entry state for a user to unbound immediately after the user fails AAA in MAC-trigger authentication. Before the user's MAC-trigger entry ages out, the user can trigger normal portal authentication.

Examples

# Enable AAA failure unbinding for MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] aaa-fail nobinding enable

Related commands

display portal mac-trigger-server

aging-time

Use aging-time to set the aging time for MAC-trigger entries.

Use undo aging-time to restore the default.

Syntax

aging-time seconds

undo aging-time

Default

The aging time for MAC-trigger entries is 300 seconds.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

seconds: Specifies the aging time for MAC-trigger entries. The value range is 60 to 7200 seconds.

Usage guidelines

With MAC-based quick portal authentication enabled, the device generates a MAC-trigger entry for a user when the device detects traffic from the user for the first time. The MAC-trigger entry records the following information:

·     MAC address of the user

·     Interface index

·     VLAN ID

·     Traffic statistics

·     Aging timer

When the aging time expires, the device deletes the MAC-trigger entry. The device re-creates a MAC-trigger entry for the user when it detects the user's traffic again.

Examples

# Specify the aging time as 300 seconds for MAC-trigger entries.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] aging-time 300

Related commands

display portal mac-trigger-server

app-id (Facebook authentication server view)

Use app-id to specify the app ID for Facebook authentication.

Use undo app-id to restore the default.

Syntax

app-id app-id

undo app-id

Default

No app ID is specified for Facebook authentication.

Views

Facebook authentication server view

Predefined user roles

network-admin

Parameters

app-id: Specifies the app ID for Facebook authentication.

Usage guidelines

If a portal user uses Facebook authentication, the Facebook server authenticates and authorizes the user and sends an authorization code to the device after the authentication and authorization succeed. Then, the device sends the authorization code, app ID, and app key to the Facebook server to determine whether the user has passed authentication and authorization.

Examples

# Specify 123456789 as the app ID for Facebook authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server facebook

[Sysname-portal-extend-auth-server-fb] app-id 123456789

Related commands

display portal extend-auth-server

app-id (QQ authentication server view)

Use app-id to specify the app ID for QQ authentication.

Use undo app-id to restore the default.

Syntax

app-id app-id

undo app-id

Default

An app ID for QQ authentication exists.

Views

QQ authentication server view

Predefined user roles

network-admin

Parameters

app-id: Specifies the app ID for QQ authentication.

Usage guidelines

To use QQ authentication for portal users, you must go to Tencent Open Platform (http://connect.qq.com/intro/login) to finish the following tasks:

1.     Register as a developer by using a valid QQ account.

2.     Apply the access to the platform for your website. The website is the webpage to which users are redirected after passing QQ authentication.

You will obtain the app ID and app key from the Tencent Open Platform after your application succeeds.

After a portal user passes QQ authentication, the QQ authentication server sends the authorization code of the user to the portal Web server. After the portal Web server receives the authorization code, it sends the authorization code of the user, the app ID, and the app key to the QQ authentication server for verification. If the information is verified as correct, the device determines that the user passes QQ authentication.

Examples

# Specify 101235509 as the app ID for QQ authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] app-id 101235509

Related commands

display portal extend-auth-server

app-id (WeChat authentication server view)

Use app-id to specify the app ID for WeChat authentication.

Use undo app-id to restore the default.

Syntax

app-id app-id

undo app-id

Default

No app ID is specified for WeChat authentication.

Views

WeChat authentication server view

Predefined user roles

network-admin

Parameters

app-id: Specifies the app ID for WeChat authentication.

Usage guidelines

The app ID specified in this command must be the same as the app ID obtained from the WeChat Official Account Admin Platform.

This configuration is required for the device to provide local WeChat authentication for portal users.

To obtain the app ID for WeChat authentication, you must perform the following tasks:

1.     Go to the WeChat Official Account Admin Platform (https://mp.weixin.qq.com) to apply a WeChat official account.

2.     Use the account to log in to the platform and enable the WeChat WiFi hotspot feature.

3.     Click the device management tab, add the device: select the shop where the device is deployed, select the portal device type, and enter the SSID of your WiFi network.

After the previous configurations, you will obtain the credentials (app ID, app key, and shop ID) for WeChat authentication.

When a WeChat user attempts to connect to the WiFi network provided in the specified shop, the device sends the credentials to the WeChat Official Account Platform for verification. After the credentials are verified, the device continues the portal authentication and allows the user to use the WiFi network after the authentication.

Examples

# Specify wx23fb4aaf04b8491e as the app ID for WeChat authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server wechat

[Sysname-portal-extend-auth-server-wechat] app-id wx23fb4aaf04b8491e

Related commands

display portal extend-auth-server

app-key (Facebook authentication server view)

Use app-key to specify the app key for Facebook authentication.

Use undo app-key to restore the default.

Syntax

app-key { cipher | simple } app-key

undo app-key

Default

No app key is specified for Facebook authentication.

Views

Facebook authentication server view

Predefined user roles

network-admin

Parameters

cipher: Specifies the app key in encrypted form.

simple: Specifies the app key in plaintext form.

app-key: Specifies the app key string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

If a portal user uses Facebook authentication, the Facebook server authenticates and authorizes the user and sends an authorization code to the device after the authentication and authorization succeed. Then, the device sends the authorization code, app ID, and app key to the Facebook server to determine whether the user has passed authentication and authorization.

Examples

# Specify 123 in plaintext form as the app key for Facebook authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server facebook

[Sysname-portal-extend-auth-server-fb] app-key simple 123

Related commands

display portal extend-auth-server

app-key (QQ authentication server view)

Use app-key to specify the app key for QQ authentication.

Use undo app-key to restore the default.

Syntax

app-key { cipher | simple } app-key

undo app-key

Default

An app key for QQ authentication exists.

Views

QQ authentication server view

Predefined user roles

network-admin

Parameters

cipher: Specifies the app key in encrypted form.

simple: Specifies the app key in plaintext form.

app-key: Specifies the app key string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

To use QQ authentication for portal users, you must go to Tencent Open Platform (http://connect.qq.com/intro/login) to finish the following tasks:

1.     Register as a developer by using a valid QQ account.

2.     Apply the access to the platform for your website. The website is the webpage to which users are redirected after passing QQ authentication.

You will obtain the app ID and app key from the Tencent Open Platform after your application succeeds.

After a portal user passes QQ authentication, the QQ authentication server sends the authorization code of the user to the portal Web server. After the portal Web server receives the authorization code, it sends the authorization code of the user, the app ID, and the app key to the QQ authentication server for verification. If the information is verified as correct, the device determines that the user passes QQ authentication.

Examples

# Specify 8a5428e6afdc3e2a2843087fe73f1507 in plaintext form as the app key for QQ authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] app-key simple 8a5428e6afdc3e2a2843087fe73f1507

Related commands

display portal extend-auth-server

app-key (WeChat authentication server view)

Use app-key to specify the app key for WeChat authentication.

Use undo app-key to restore the default.

Syntax

app-key { cipher | simple } app-key

undo app-key

Default

No app key is specified for WeChat authentication.

Views

WeChat authentication server view

Predefined user roles

network-admin

Parameters

cipher: Specifies the app key in encrypted form.

simple: Specifies the app key in plaintext form.

app-key: Specifies the app key string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

This configuration is required for the device to provide local WeChat authentication for portal users. The app key specified in this command must be the same as the app key obtained from the WeChat Official Account Admin Platform.

To obtain the app key for WeChat authentication, you must perform the following tasks:

1.     Go to the WeChat Official Account Admin Platform (https://mp.weixin.qq.com) to apply a WeChat official account.

2.     Use the account to log in to the platform and enable the WeChat WiFi hotspot feature.

3.     Click the device management tab, add the device: select the shop where the device is deployed, select the portal device type, and enter the SSID of your WiFi network.

After the previous configurations, you will obtain the credentials (app ID, app key, and shop ID) for WeChat authentication.

When a WeChat user attempts to connect to the WiFi network provided in the specified shop, the device sends the credentials to the WeChat Official Account Platform for verification. After the credentials are verified, the device continues the portal authentication and allows the user to use the WiFi network after the authentication.

Examples

 # Specify nqduqg4816689geruhq3 in plaintext form as the app key for WeChat authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server wechat

[Sysname-portal-extend-auth-server-wechat] app-key simple nqduqg4816689geruhq3

Related commands

display portal extend-auth-server

app-secret

Use app-secret to specify the app secret for WeChat authentication.

Use undo app-secret to restore the default.

Syntax

app-secret { cipher | simple } string

undo app-secret

Default

No app secret is specified for WeChat authentication.

Views

WeChat authentication server view

Predefined user roles

network-admin

Parameters

cipher: Specifies the app secret in encrypted form.

simple: Specifies the app secret in plaintext form.

app-key: Specifies the app secret string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

When the subscribe-required feature is enabled, you must specify the app secret for WeChat authentication on the device.

To obtain the app secret for WeChat authentication, perform the following tasks:

1.     Use a WeChat official account to log in to the WeChat Official Account Admin Platform.

For more information about the WeChat official account, see WeChat authentication configuration in Security Configuration Guide.

2.     From the navigation tree, select Developer Centers.

In the Configuration Items area, you can see the app secret for the WeChat Official account.

Examples

# Specify nqduqg4816689geruhq3 in plaintext form as the app secret for WeChat authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server wechat

[Sysname-portal-extend-auth-server-wechat] app-secret simple nqduqg4816689geruhq3

authentication-timeout

Use authentication-timeout to set the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving the MAC binding query response.

Use undo authentication-timeout to restore the default.

Syntax

authentication-timeout minutes

undo authentication-timeout

Default

The authentication timeout time is 3 minutes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

minutes: Specifies the authentication timeout in the range of 1 to 15 minutes.

Usage guidelines

Upon receiving the MAC binding query response of a user from the MAC binding server, the device starts an authentication timeout timer for the user. When the timer expires, the device deletes the MAC-trigger entry of the user.

Examples

# Set the authentication timeout to 10 minutes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] authentication-timeout 10

Related commands

display portal mac-trigger-server

auth-url

Use auth-url to specify the URL of the QQ or Facebook authentication server.

Use undo auth-url to delete the URL of the QQ or Facebook authentication server.

Syntax

auth-url url-string

undo auth-url

Default

The URL of QQ authentication server is https://graph.qq.com.

The URL of Facebook authentication server is https://graph.facebook.com.

Views

QQ authentication server view

Facebook authentication server view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL of the QQ or Facebook authentication server, a case-sensitive string of 1 to 256 characters. Make sure that you specify the actual URL of the QQ or Facebook authentication server.

Examples

# Specify http://oauth.qq.com/ as the URL of the QQ authentication server.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] auth-url http://oauth.qq.com

# Specify http://oauth.facebook.com as the URL of the Facebook authentication server.

<Sysname> system-view

[Sysname] portal extend-auth-server facebook

[Sysname-portal-extend-auth-server-fb] auth-url http://oauth.facebook.com

Related commands

display portal extend-auth-server

binding-retry

Use binding-retry to specify the maximum number of attempts and the interval for sending MAC binding queries to the MAC binding server.

Use undo binding-retry to restore the default.

Syntax

binding-retry { retries | interval interval } *

undo binding-retry

Default

The maximum number of query attempts is 3 and the query interval is 1 second.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of MAC binding query attempts, in the range of 1 to 10.

interval interval: Specifies the query interval in the range of 1 to 60 seconds.

Usage guidelines

If the device does not receive a response from the MAC binding server after the maximum number is reached, the device determines that the MAC binding server is unreachable. The device performs normal portal authentication for the user. The user needs to enter the username and password for authentication.

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Set the maximum number of MAC binding query attempts to 3 and the query interval to 60 seconds.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] binding-retry 3 interval 60

Related commands

display portal mac-trigger-server

captive-bypass enable

Use captive-bypass enable to enable the captive-bypass feature.

Use undo captive-bypass enable to disable the captive-bypass feature.

Syntax

captive-bypass [ android | ios [ optimize ] ] enable

undo captive-bypass [ android | ios [ optimize ] ] enable

Default

The captive-bypass feature is disabled. The device automatically pushes the portal authentication page to the iOS devices and some Android devices when they are connected to the network.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

android: Enables the captive-bypass feature for Android users.

ios: Enables the captive-bypass feature for iOS users.

optimize: Enables the optimized captive-bypass feature.

Usage guidelines

With the captive-bypass feature enabled, the device does not automatically push the portal authentication page to iOS devices and some Android devices when they are connected to the network. The device pushes the portal authentication page only when the user accesses the Internet by using a browser.

The optimized captive-bypass feature applies only to iOS mobile devices. The device automatically pushes the portal authentication page to iOS mobile devices when they are connected to the network. Users can press the home button to return to the desktop without triggering portal authentication, and the Wi-Fi connection is not terminated.

You cannot enable the captive-bypass feature for both Android and iOS users. If you execute this command multiple times, the most recent configuration takes effect.

If you do not specify any parameters, this command enables the captive-bypass feature for both Android and iOS users.

Examples

# Enable the captive-bypass feature.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] captive-bypass enable

# Enable the optimized captive-bypass feature for iOS users.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] captive-bypass ios optimize enable

# Enable the captive-bypass feature for Android users.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] captive-bypass android enable

Related commands

display portal captive-bypass statistics

display portal web-server

cloud-binding enable

Use cloud-binding enable to enable cloud MAC-trigger authentication.

Use undo cloud-binding enable to disable cloud MAC-trigger authentication.

Syntax

cloud-binding enable

undo cloud-binding enable

Default

Cloud MAC-trigger authentication is disabled.

Views

MAC binding server view

Predefined user roles

network-admin

Usage guidelines

The cloud MAC-trigger authentication feature enables the cloud server to provide automated authentication to users as a unified portal authentication, portal Web, and MAC binding server. Users are required to perform manual authentication (entering the username and password) only for the first network access. They are automatically connected to the network without manual authentication for subsequent network access attempts.

Examples

# Enable cloud MAC-trigger authentication for MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] cloud-binding enable

Related commands

display portal mac-trigger-server

cloud-server url

Use cloud-server url to specify the URL of the cloud portal authentication server.

Use undo cloud-server url to restore the default.

Syntax

cloud-server url url-string

undo cloud-server url

Default

The URL of the cloud portal authentication server is not specified. The device uses the URL of the portal Web server as the URL of the cloud portal authentication server.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL of a cloud portal authentication server. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

Usage guidelines

To separate portal authentication and Web servers, specify the cloud portal authentication server URL by using this command, and specify a different URL for the portal Web server. In this way, you can use a different portal Web server to provide customized authentication pages to users.

Examples

# In the view of MAC binding server mts, specify http://lvzhou.h3c.com as the URL of the cloud portal authentication server.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] cloud-server url http://lvzhou.h3c.com

Related commands

display portal mac-trigger-server

default-logon-page

Use default-logon-page to specify the default authentication page file for a local portal Web service.

Use undo default-logon-page to restore the default.

Syntax

default-logon-page file-name

undo default-logon-page

Default

No default authentication page file is specified for a local portal Web service.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

file-name: Specifies the default authentication page file by the file name (without the file storage directory). The file name is a case-sensitive string of 1 to 91 characters. Valid characters are letters, digits, dots (.) and underscores (_).

Usage guidelines

You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages. The device then sets them as the default authentication pages for local portal authentication.

Examples

# Specify file pagefile1.zip as the default authentication page file for local portal authentication.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] default-logon-page pagefile1.zip

Related commands

portal local-web-server

display portal

Use display portal to display portal configuration and portal running state.

Syntax

display portal { ap ap-name [ radio radio-id ] | interface interface-type interface-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays portal configuration and portal running state for all radios of the AP.

interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display portal configuration and portal running state on AP ap1.

<Sysname> display portal ap ap1

 Portal information of ap1

 Radio ID: 1

 SSID: portal

     Authorization : Strict checking

     ACL           : Disable

     User profile  : Disable

     Dual stack    : Disabled

     Dual IP       : Disabled

     Dual traffic-separate: Disabled

 IPv4:

     Portal status: Enabled

     Portal authentication method: Direct

     Portal Web server: wbs(active)

     Secondary portal Web server: wbs sec

     Portal mac-trigger-server: mts

     Authentication domain: my-domain

     Extend-auth domain: def

     User-dhcp-only: Enabled

     Max portal users: 1024

     Bas-ip: 2.2.2.2

     Action for sever detection:

         Server type      Server name           Action

         Web server       wbs                   fail-permit

         Portal server    pts                   fail-permit

     Destination authentication subnet:

         IP address                             Mask

         2.2.2.2                                255.255.0.0

 IPv6:

     Portal status: Enabled

     Portal authentication method: Direct

     Portal Web server: wbsv6(active)

     Secondary portal Web server: Not configured

     Authentication domain: my-domain

     Extend-auth domain: Not configured

     User-dhcp-only: Disabled

     Max portal users: 512

     Bas-ipv6: 2000::1     

     Action for sever detection:

         Server type      Server name           Action

         Web server       wbsv6                 fail-permit

         Portal server    ptsv6                 fail-permit

     Destination authentication subnet:

         IP address                             Prefix length

3000::1                                64

# Display portal configuration and portal running state on VLAN-interface 30.

<Sysname> display portal interface Vlan-interface 30

 Portal information of Vlan-interface30

     NAS-ID profile: Not configured

     Authorization : Strict checking

     ACL           : Disable

     User profile  : Disable

     Dual stack    : Disabled

     Dual IP       : Disabled

     Dual traffic-separate: Disabled

 IPv4:

     Portal status: Enabled

     Portal authentication method: Direct

     Portal Web server: pt(active)

     Secondary portal Web server: wbs sec

     Authentication domain: test

     Pre-auth domain: Not configured

     Extend-auth domain: def

     User-dhcp-only: Disabled

     Pre-auth IP pool: Not configured

     Max portal users: Not configured

     Bas-ip: Not configured

     User detection: Not configured

     Portal temp-pass: Enabled,       Period: 30s

     Action for server detection:

         Server type    Server name                        Action

         --             --                                 --

     Layer3 source network:

         IP address               Mask

 

     Destination authentication subnet:

         IP address               Mask

 IPv6:

     Portal status: Disabled

     Portal authentication method: Disabled

     Portal Web server: Not configured

     Secondary portal Web server: Not configured

     Authentication domain: Not configured

     Pre-auth domain: Not configured

     User-dhcp-only: Disabled

     Pre-auth IP pool: Not configured

     Max portal users: Not configured

     Extend-auth domain: Not configured

     Bas-ipv6: Not configured

     User detection: Not configured

     Portal temp-pass: Disabled

     Action for server detection:

         Server type    Server name                        Action

         --             --                                 --

     Layer3 source network:

         IP address                                        Prefix length

 

     Destination authentication subnet:

         IP address                                        Prefix length

Table 1 Command output

Field

Description

Portal information of interface

Portal configuration on the interface.

Radio ID

ID of the radio.

SSID

Service set identifier.

NAS-ID profile

NAS-ID profile on the interface.

Authorization

Authorization information type: ACL or user profile.

Strict checking

Whether strict checking is enabled on portal authorization information.

Dual stack

Status of the portal dual-stack feature on the interface:

·     Disabled.

·     Enabled.

Dual IP

Status of the dual IP feature, disabled or enabled.

This feature enables the device to carry both an IPv4 address and an IPv6 address in RADIUS packets for single-stack users in remote portal authentication.

Dual traffic-separate

Status of separate IPv4 and IPv6 traffic statistics for dual-stack portal users on the interface:

·     Disabled.

·     Enabled.

IPv4

IPv4 portal configuration.

IPv6

IPv6 portal configuration.

Portal status

Portal authentication status on the interface:

·     Disabled—Portal authentication is disabled.

·     Enabled—Portal authentication is enabled.

·     Authorized—The portal authentication server or portal Web server is unreachable. The interface allows users to have network access without authentication.

Portal authentication method

Type of authentication enabled on the interface.

The value Direct indicates direct authentication.

Portal Web server

Name of the primary portal Web server specified on the interface.

This field displays the (active) flag next to the server name if the server is being used.

Secondary portal Web server

Name of the backup portal Web server specified on the interface.

This field displays the (active) flag next to the server name if the server is being used.

Portal mac-trigger-server

Name of the MAC binding server specified on the interface.

Authentication domain

Mandatory authentication domain on the interface.

Pre-auth domain

Preauthentication domain for portal users on the interface.

Extend-auth domain

Authentication domain configured for third-party authentication on an interface or service template.

User-dhcp-only

Status of the user-dhcp-only feature:

·     Enabled—Only users with IP addresses obtained through DHCP can perform portal authentication.

·     Disabled—Both users with IP addresses obtained through DHCP and users with static IP addresses can pass authentication to get online.

Pre-auth ip-pool

Name of the IP address pool specified for portal users before authentication.

Max portal users

Maximum number of portal users allowed on an interface.

Bas-ip

BAS-IP attribute of the portal packets sent to the portal authentication server.

Bas-ipv6

BAS-IPv6 attribute of the portal packets sent to the portal authentication server.

User detection

Configuration for online detection of portal users on the interface, including detection method (ARP, ICMP, ND, or ICMPv6), detection interval, maximum number of detection attempts, and user idle time.

Portal temp-pass

Status of the temporary pass feature:

·     Enabled—The temporary pass feature is enabled.

·     Disabled—The temporary pass feature is disabled.

·     Period—Temporary pass period during which a user can access the Internet temporarily. This field is displayed only if the temporary pass feature is enabled.

Action for server detection

Portal server detection configuration on the interface:

·     Server type—Type of the server. Portal server represents the portal authentication server, and Web server represents the portal Web server.

·     Server name—Name of the server.

·     Action—Action triggered by the result of server detection. This field displays fail-permit when the portal fail-permit feature is enabled.

Layer3 source network

Information of the portal authentication source subnet.

Destination authentication subnet

Information of the portal authentication destination subnet.

IP address

IP address of the portal authentication subnet.

Mask

Subnet mask of the portal authentication subnet.

Prefix length

Prefix length of the IPv6 portal authentication subnet address.

 

display portal authentication-location

Use display portal authentication-location to display the portal authenticator, that is, the device that performs portal authentication on clients.

Syntax

display portal authentication-location

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

This command takes effect only on local ACs in an AC hierarchy.

Examples

# Display the portal authenticator.

<Sysname> display portal authentication-location

 Portal authentication-location: Local

Table 2 Command output

Field

Description

Portal authentication-location

Location of the authenticator:

·     Local—The authenticator is the local device.

·     Remote—The authenticator is another device.

Related commands

portal authentication-location switchto-central-ac

display portal auth-error-record

Use display portal auth-error-record to display portal authentication error records.

Syntax

display portal auth-error-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all portal authentication error records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

Examples

# Display all portal authentication error records.

<Sysname> display portal auth-error-record all

Total authentication error records: 2

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth error time        : 2016-03-04 16:49:07

Auth error reason      : The maximum number of users already reached.

 

User MAC               : 0016-ecb7-a235

Interface              : Vlan-interface100

User IP address        : 192.168.0.10

AP                     : ap1

SSID                   : byod

Auth error time        : 2016-03-04 16:51:07

Auth error reason      : The maximum number of users already reached.

# Display portal authentication error records for the portal user whose IPv4 address is 192.168.0.188.

<Sysname> display portal auth-error-record ip 192.168.0.188

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth error time        : 2016-03-04 16:49:07

Auth error reason      : The maximum number of users already reached.

# Display portal authentication error records for the portal user whose IPv6 address is 2000::2.

<Sysname> display portal auth-error-record ipv6 2000::2

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 2000::2

AP                     : ap1

SSID                   : byod

Auth error time        : 2016-03-04 16:49:07

Auth error reason      : The maximum number of users already reached.

# Display portal authentication error records with the error time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.

<Sysname> display portal auth-error-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth error time        : 2016-03-04 14:22:25

Auth error reason      : The maximum number of users already reached.

Table 3 Command output

Field

Description

Total authentication error records

Total number of portal authentication error records.

User MAC

MAC address of the portal user.

Interface

Access interface of the portal user.

User IP address

IP address of the portal user.

AP

AP name.

SSID

Service set identifier.

Auth error time

Time when the portal user encountered an authentication error, in the format of YYYY-MM-DD hh:mm:ss.

Auth error reason

Reason for the authentication error:

·     The maximum number of users already reached.

·     Failed to obtain user physical information.

·     Failed to receive the packet because packet length is 0.

·     Packet source unknown. Server IP:X.X.X.X, VRF index:0.

·     Packet validity check failed because packet length and version don't match.

·     Packet type invalid.

·     Packet validity check failed due to invalid authenticator.

·     Memory insufficient.

·     Portal is disabled on the interface.

·     The maximum number of users on the interface already reached.

·     Failed to get the access token of the cloud user.

·     Failed to get the user information of the cloud user.

·     Failed to get the access token of the QQ user.

·     Failed to get the openID of the QQ user.

·     Failed to get the user information of the QQ user.

·     Email authentication failed.

 

Related commands

portal auth-error-record enable

reset auth-error-record

display portal auth-fail-record

Use display portal auth-fail-record to display portal authentication failure records.

Syntax

display portal auth-fail-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all portal authentication failure records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Display all portal authentication failure records.

<Sysname> display portal auth-fail-record all

Total authentication fail records: 2

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 16:49:07

Auth failure reason    : Authorization information does not exist.

 

User name              : coco

User MAC               : 0016-ecb7-a235

Interface              : Vlan-interface100

User IP address        : 192.168.0.10

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 16:50:07

Auth failure reason    : Authorization information does not exist.

# Display portal authentication failure records for the portal user whose IPv4 address is 192.168.0.8.

<Sysname> display portal auth-fail-record ip 192.168.0.188

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 16:49:07

Auth failure reason    : Authorization information does not exist.

# Display portal authentication failure records for the portal user whose IPv6 address is 2000::2.

<Sysname> display portal auth-fail-record ipv6 2000::2

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 2000::2

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 16:49:07

Auth failure reason    : Authorization information does not exist.

# Display portal authentication failure records for the portal user whose username is chap1.

<Sysname> display portal auth-fail-record username chap1

User name              : chap1

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 16:49:07

Auth failure reason    : Authorization information does not exist.

# Display portal authentication failure records with the failure time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.

<Sysname> display portal auth-fail-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23

User name              : chap1

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 14:22:25

Auth failure reason    : Authorization information does not exist.

Table 4 Command output

Field

Description

Total authentication fail records

Total number of portal authentication failure records.

User name

Username of the portal user.

User MAC

MAC address of the portal user.

Interface

Access interface of the portal user.

User IP address

IP address of the portal user.

AP

AP name.

SSID

Service set identifier.

Auth failure time

Time when the portal user failed authentication, in the format of YYYY/MM/DD hh:mm:ss.

Auth failure reason

Reason why the user failed portal authentication.

 

Related commands

portal auth-fail-record enable

reset portal auth-fail-record

display portal captive-bypass statistics

Use display portal captive-bypass statistics to display packet statistics for portal captive-bypass.

Syntax

In standalone mode:

display portal captive-bypass statistics

In IRF mode:

display portal captive-bypass statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays portal captive-bypass packet statistics on all member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display portal captive-bypass packet statistics.

<Sysname> display portal captive-bypass statistics

User type       Packets

iOS:            1

Android:        0

# (In IRF mode.) Display portal captive-bypass packets on the specified slot.

<Sysname> display portal captive-bypass statistics slot 1

Slot 1:

User type       Packets

iOS             1

Android         0

Table 5 Command output

Field

Description

User type

Type of users:

·     iOS.

·     Android.

Packets

Number of portal captive-bypass packets sent to the users.

 

Related commands

captive-bypass enable

display portal dhcp-lease

Use display portal dhcp-lease to display DHCP lease information of portal users.

Syntax

display [ ipv6 ] portal dhcp-lease [ ip ip-address | ipv6 ipv6-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6: Displays DHCP information for IPv6 portal users. If you do not specify this keyword, the command displays DHCP information for IPv4 portal users.

ip ip-address: Specifies a portal user by its IPv4 address.

ipv6 ipv6-address: Specifies a portal user by its IPv6 address.

Examples

# Display DHCP lease information of all IPv4 portal users.

<Sysname> display portal dhcp-lease

Total DHCP lease entries: 2

IP                MAC                   Lease time          Remaining time

1.1.1.1           AABB-CCDD-1122        02h 00m 00s         01h 10m 46s

1.1.1.2           AABB-CCDD-1133        01h 00m 00s         00h 08m 46s

# Display DHCP lease information of all IPv6 portal users.

<Sysname> display portal ipv6 dhcp-lease

Total DHCP lease entries: 2

IP                MAC                   Lease time          Remaining time

2000::1           AABB-CCDD-1144        02h 00m 00s         01h 10m 46s

2000::2           AABB-CCDD-1155        01h 00m 00s         00h 08m 46s

# Display DHCP lease information of IPv4 portal user at 1.1.1.1.

<Sysname> display portal dhcp-lease ip 1.1.1.1

IP                MAC                   Lease time          Remaining time

1.1.1.1           AABB-CCDD-1122        02h 00m 00s         01h 10m 46s

# Display DHCP lease information of IPv6 portal user at 2000::1.

<Sysname> display portal ipv6 dhcp-lease ipv6 2000::1

IP                MAC                   Lease time          Remaining time

2000::1           AABB-CCDD-1144        02h 00m 00s         01h 10m 46s

Table 6 Command output

Field

Description

Total DHCP lease entries

Total number of DHCP lease entries.

IP

IP address of the portal user.

MAC

MAC address of the portal user.

Lease time

Lease time period for the IP address.

If the time period is less than one day, this field is displayed in the xxh xxm xxs format.

If the time period is less than one week, this field is displayed in the xd xxh format.

If the time period is greater than one week, this field is displayed in the xw xd xxh format.

Remaining time

Remaining lease time period for the IP address.

·     If the time period is less than one day, this field is displayed in the xxh xxm xxs format.

·     If the time period is less than one week, this field is displayed in the xd xxh format.

·     If the time period is greater than one week, this field is displayed in the xw xd xxh format.

The w, d, h, m, and s represent weeks, days, hours, minutes, and seconds, respectively.

 

Related commands

portal idle-cut dhcp-capture enable

display portal dns free-rule-host

Use display portal dns free-rule-host to display IP addresses corresponding to host names in destination-based portal-free rules.

Syntax

display portal dns free-rule-host [ host-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

host-name: Specifies a host by its name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, hyphens (-), underscores (_), dots (.), and wildcards (asterisks *). The host name cannot be ip or ipv6. If you do not specify a host name, this command displays IP addresses corresponding to all host names in destination-based portal-free rules.

Examples

# Display IP addresses corresponding to host name http://www.baidu.com/ in a destination-based portal-free rule.

<Sysname> display portal dns free-rule-host www.baidu.com

 Host name                     IP

 www.baidu.com                 10.10.10.10

# Display IP addresses corresponding to host name *abc.com in a destination-based portal-free rule.

<Sysname> display portal dns free-rule-host *abc.com

 Host name                     IP

 *abc.com                      12.12.12.12

                               111.8.33.100

                               3.3.3.3

Table 7 Command output

Field

Description

Host name

Host name specified in a destination-based portal-free rule.

IP

IP address corresponding to the host name.

 

display portal extend-auth-server

Use display portal extend-auth-server to display information about third-party authentication servers.

Syntax

display portal extend-auth-server { all | facebook | mail | qq | wechat }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all third-party authentication servers.

facebook: Specifies the Facebook authentication server.

mail: Specifies the email authentication server.

qq: Specifies the QQ authentication server.

wechat: Specifies the WeChat authentication server.

Examples

# Display information about all third-party authentication servers.

<Sysname> display portal extend-auth-server all

Portal extend-auth-server: qq

   Authentication URL : http://graph.qq.com

   APP ID            : 101235509

   APP key           : ******

   Redirect URL      : http://oauthindev.h3c.com/portal/qqlogin.html

Portal extend-auth-server: mail

   Mail protocol      : POP3

   Mail domain name   : @qq.com

Portal extend-auth-server: wechat

  App ID             : wx23fb4aaf04b8491e

  App key            : ******

  App secret         : ******

  Subscribe-required : Enabled

  Shop ID            : 6747662

Portal extend-auth-server: facebook

   Authentication URL : https://graph.facebook.com

   APP ID             : 123456789

   APP key            : ******

   Redirect URL       : http://oauthindev.h3c.com/portal/fblogin.html

Table 8 Command output

Field

Description

Portal extend-auth-server

Type of the third-party authentication server.

Authentication URL

URL of the third-party authentication server.

APP ID

App ID for the third-party authentication.

APP key

App key for the third-party authentication.

APP secret

App secret for WeChat authentication.

Subscribe-required

Status of the subscribe-required feature:

·     Enabled.

·     Disabled.

Redirect URL

URL to which portal users are redirected after they pass third-party authentication.

Mail protocol

Protocols of the email authentication service.

Mail domain name

Email domain name of the email authentication service.

Shop ID

ID of the shop where the device is deployed as a portal device for WeChat authentication.

 

Related commands

portal extend-auth-server

display portal local-ac-user

Use display portal local-ac-user on the central AC to display information about portal users that come online from local ACs.

Syntax

display portal local-ac-user { all | ip ipv4-address | ipv6 ipv6-address | mac mac-address | local-ac local-ac-name | username username }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all portal users.

ip ipv4-address: Specifies a portal user by its IPv4 address.

ipv6 ipv6-address: Specifies a portal user by its IPv6 address.

mac mac-address: Specifies a portal user by its MAC address in the format of H-H-H.

local-ac local-ac-name: Specifies a local AC by its name, a case-insensitive string of 1 to 64 characters.

username username: Specifies a portal user by its username, a case-sensitive string of 1 to 253 characters. The username cannot contain a domain name.

Usage guidelines

Use this command on the central AC in an AC hierarchy. Before you execute this command, enable wireless portal client validity check on the central AC by using the portal host-check enable command.

If you use this command on local ACs, no portal user information is displayed. You can use the display portal user command on local ACs to display portal user information.

Examples

# Display information about all portal users that come online from local ACs.

<Sysname> display portal local-ac-user all

Total portal users: 3

 

Username: abc

IP address: 1.1.1.1

MAC address: 000d-88f8-0eab

Interface: GigabitEthernet1/0/1

Local AC name: local1

Local AC IP address: 2.2.2.2

 

Username: abd

IP address: 1.1.1.2

MAC address: 00fd-88f8-0eab

Interface: GigabitEthernet1/0/1

Local AC name: local1

Local AC IP address: 2.2.2.2

 

Username: def

IP address: 1.1.1.3

MAC address: 000d-88f8-0ecd

Interface: GigabitEthernet1/0/1

Local AC name: local2

Local AC IP address: 2.2.2.3

# Display information about the portal user that uses IP address 1.1.1.1 and comes online from a local AC.

<Sysname> display portal local-ac-user ip 1.1.1.1

Username: abc

IP address: 1.1.1.1

MAC address: 000d-88f8-0eab

Interface: GigabitEthernet1/0/1

Local AC name: local1

Local AC IP address: 2.2.2.2

# Display information about the portal user that uses IPv6 address 200::2 and comes online from a local AC.

<Sysname> display portal local-ac-user ipv6 200::2

Username: af

IPv6 address: 200::2

MAC address: 000d-88f5-0eab

Interface: GigabitEthernet1/0/1

Local AC name: local1

Local AC IP address: 2.2.2.2

# Display information about the portal user that uses MAC address 000d-88f8-0eab and comes online from a local AC.

<Sysname> display portal local-ac-user mac 000d-88f8-0eab

Username: abc

IP address: 1.1.1.1

MAC address: 000d-88f8-0eab

Interface: GigabitEthernet1/0/1

Local AC name: local1

Local AC IP address: 2.2.2.2

# Display information about portal users that come online from local AC local1.

<Sysname> display portal local-ac-user local-ac local1

Total portal users: 2

 

Username: abc

IP address: 1.1.1.1

MAC address: 000d-88f8-0eab

Interface: GigabitEthernet1/0/1

Local AC name: local1

Local AC IP address: 2.2.2.2

 

Username: def

IP address: 1.1.1.2

MAC address: 000d-88f8-0ecd

Interface: GigabitEthernet1/0/1

Local AC name: local1

Local AC IP address: 2.2.2.2

# Display information about portal user abc that comes online from a local AC.

<Sysname> display portal local-ac-user username abc

Username: abc

IP address: 1.1.1.1

MAC address: 000d-88f8-0eab

Interface: GigabitEthernet1/0/1

Local AC name: local1

Local AC IP address: 2.2.2.2

Table 9 Command output

Field

Description

Total portal users

Total number of portal users on local ACs.

Username

Username of the portal user.

IP address

IP address of the portal user.

MAC address

MAC address of the portal user.

Interface

Interface through which the portal user passes portal authentication and come online.

Local AC name

Name of the local AC from which the portal user comes online.

Local AC IP address

IP address of the local AC from which the portal user comes online.

 

Related commands

display portal user

display portal local-binding mac-address

Use display portal local-binding mac-address to display information about local MAC-account binding entries on the local MAC binding server.

Syntax

display portal local-binding mac-address { mac-address | all }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

mac-address: Specifies the MAC address of a portal user, in the format H-H-H.

all: Specifies all local MAC-account binding entries.

Examples

# Display information about all local MAC-account binding entries.

<Sysname> display portal local-binding mac-address all

Total MAC addresses: 5

MAC address                Username            Aging(hh:mm:ss)

0015-e9a6-7cfe             wlan_user1          00:41:38

0000-e27c-6e80             wlan_user2          00:41:38

000f-e212-ff01             wlan_user3          00:41:38

001c-f08f-f804             wlan_user4          00:41:38

000f-e233-9000             wlan_user5          00:41:38

# Display information about the local MAC-account binding entry for the user with MAC address 0015-e9a6-7cfe.

<Sysname> display portal local-binding mac-address 0015-e9a6-7cfe

Total MAC addresses: 1

MAC address                Username            Aging(hh:mm:ss)

0015-e9a6-7cfe             wlan_user1          00:41:38

Table 10 Command output

Field

Description

MAC address

MAC address of a portal user.

Username

Username of a portal user.

Aging

Remaining lifetime of the local MAC-account binding entry.

 

Related commands

local-binding enable

display portal logout-record

Use display portal logout-record to display portal user offline records.

Syntax

display portal logout-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all portal user offline records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Display all portal user offline records.

<Sysname> display portal logout-record all

Total logout records: 2

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.8

AP                     : ap1

SSID                   : byod

User login time        : 2016-03-04 14:20:19

User logout time       : 2016-03-04 14:22:05

Logout reason          : Admin Reset

 

User name              : coco

User MAC               : 0016-ecb7-a235

Interface              : Vlan-interface100

User IP address        : 192.168.0.10

AP                     : ap1

SSID                   : byod

User login time        : 2016-03-04 14:10:15

User offline time      : 2016-03-04 14:22:05

Offline reason         : Admin Reset

# Display offline records for the portal user whose IP address is 192.168.0.8.

<Sysname> display portal logout-record ip 192.168.0.8

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.8

AP                     : ap1

SSID                   : byod

User login time        : 2016-03-04 14:26:12

User logout time       : 2016-03-04 14:27:35

Logout reason          : Admin Reset

# Display offline records for the portal user whose username is chap1.

<Sysname> display portal logout-record username chap1

User name              : chap1

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.8

AP                     : ap1

SSID                   : byod

User login time        : 2016-03-04 17:20:19

User logout time       : 2016-03-04 17:22:05

Logout reason          : Admin Reset

# Display portal user offline records with the logout time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.

<Sysname> display portal logout-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.8

AP                     : ap1

SSID                   : byod

User login time        : 2016-03-04 14:20:19

User logout time       : 2016-03-04 14:22:05

Logout reason          : Admin Reset

Table 11 Command output

Field

Description

Total logout records

Total number of portal user offline records.

User name

Username of the portal user.

User MAC

MAC address of the portal user.

Interface

Access interface of the portal user.

User IP address

IP address of the portal user.

AP

AP name.

SSID

Service set identifier.

User login time

Time when the portal user came online, in the format of YYYY-MM-DD hh:mm:ss.

User logout time

Time when the portal user went offline, in the format of YYYY-MM-DD hh:mm:ss.

Logout reason

Reason why the portal user went offline:

·     User Request.

·     Carrier Lost.

·     Service Lost.

·     Admin Reset.

·     NAS Request.

·     Idle Timeout.

·     Port Suspended.

·     Port Error.

·     Admin Reboot.

·     Session Timeout.

·     User Error.

·     Service Unavailable.

·     NAS Error.

·     Other Errors.

 

Related commands

portal logout-record enable

reset portal logout-record

display portal mac-trigger user

Use display portal mac-trigger user to display information about MAC-trigger authentication users (portal users that perform MAC-trigger authentication).

Syntax

display portal mac-trigger user { all | ip ipv4-address | mac mac-address }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all MAC-trigger authentication users.

ip ipv4-address: Specifies a MAC-trigger authentication user by its IP address.

mac mac-address: Specifies a MAC-trigger authentication user by its MAC address, in the format of H-H-H.

Examples

# Display information about all MAC-trigger authentication users.

<Sysname> display portal mac-trigger user all

Total portal mac-trigger users: 8

MAC address      IP address     VLAN ID   Interface          Traffic(Bytes)  State

0050-ba50-732a   1.1.1.6        1         Vlan-interface1    0               NOBIND

0050-ba50-7328   1.1.1.4        1         Vlan-interface1    0               NOBIND

0050-ba50-7326   1.1.1.2        1         Vlan-interface1    0               NOBIND

0050-ba50-732c   1.1.1.8        1         Vlan-interface1    0               NOBIND

0050-ba50-7329   1.1.1.5        1         Vlan-interface1    0               NOBIND

# Display information about the MAC-trigger authentication user whose MAC address is 0050-ba50-7777.

<Sysname> display portal mac-trigger user mac 0050-ba50-7777

MAC address      IP address     VLAN ID   Interface          Traffic(Bytes)  State

0050-ba50-777    1.1.5.83       1         Vlan-interface1    0               NOBIND

# Display information about the MAC-trigger authentication user whose IP address is 1.1.2.126.

<Sysname> display portal mac-trigger user ip 1.1.2.126

MAC address      IP address     VLAN ID   Interface          Traffic(Bytes)  State

0050-ba50-74a2   1.1.2.126      1         Vlan-interface1    0               NOBIND

Table 12 Command output

Field

Description

MAC address

MAC address of the user.

IP address

IP address of the user.

VLAN ID

ID of the VLAN to which the user belongs.

Interface

Interface through which the user accesses the network.

Traffic(Bytes)

Traffic of the user, in bytes.

State

Status of the user:

·     DEFAULT—The user's traffic is below the free-traffic threshold and the user can access the network without authentication.

·     WAIT—The binding status between the user's MAC address and account is being queried.

·     NOBIND—The user's MAC address is not bound with the user's account.

·     BIND—The user's MAC address is bound with the user's account.

·     DISABLE—The MAC-trigger entry for the user is deleted on the device.

 

Related commands

portal apply mac-trigger-server

portal mac-trigger-server

display portal mac-trigger-server

Use display portal mac-trigger-server to display information about MAC binding servers.

Syntax

display portal mac-trigger-server { all | name server-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all MAC binding servers.

name server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Examples

# Display information about all MAC binding servers.

<Sysname> display portal mac-trigger-server all

Portal mac trigger server name: ms1

  Version                    : 2.0

  Server type                : CMCC

  IP                         : 10.1.1.1

  Port                       : 100

  VPN instance               : Not configured

  Aging time                 : 120 seconds

  Free-traffic threshold     : 1000 bytes

  NAS-Port-Type              : 255

  Binding retry times        : 5

  Binding retry interval     : 2 seconds

  Authentication timeout     : 5 minutes

  Local-binding              : Disabled

  Local-binding aging time   : 12 minutes

  aaa-fail nobinding         : Disabled

  Excluded attribute list    : 1

  Cloud-binding              : Disabled

  Cloud server URL           : Not configured

Portal mac trigger server name: mts

  Version                    : 1.0

  Server type                : IMC

  IP                         : 4.4.4.2

  Port                       : 50100

  VPN instance               : Not configured

  Aging time                 : 300 seconds

  Free-traffic threshold     : 0 bytes

  NAS-Port-Type              : Not configured

  Binding retry times        : 3

  Binding retry interval     : 1 seconds

  Authentication timeout     : 3 minutes

  Local-binding              : Disabled

  Local-binding aging-time   : 12 minutes

  aaa-fail nobinding         : Disabled

  Excluded attribute list    : 1

  Cloud-binding              : Disabled

  Cloud server URL           : Not configured

# Display information about MAC binding server ms1.

<Sysname> display portal mac-trigger-server name ms1

Portal mac trigger server name: ms1

  Version                    : 2.0

  Server type                : CMCC

  IP                         : 10.1.1.1

  Port                       : 100

  VPN instance               : Not configured

  Aging time                 : 120 seconds

  Free-traffic threshold     : 1000 bytes

  NAS-Port-Type              : 255

  Binding retry times        : 5

  Binding retry interval     : 2 seconds

  Authentication timeout     : 5 minutes

  Local-binding              : Disabled

  Local-binding aging-time   : 12 minutes

  aaa-fail nobinding         : Disabled

  Excluded attribute list    : 1

  Cloud-binding              : Disabled

  Cloud server URL           : Not configured

Table 13 Command output

Field

Description

Portal mac trigger server name

Name of the MAC binding server.

Version

Version of the portal protocol:

·     1.0—Version 1.

·     2.0—Version 2.

·     3.0—Version 3.

Server type

Type of the MAC binding server:

·     CMCC—CMCC server.

·     IMC—H3C IMC server or H3C CAMS server.

IP

IP address of the MAC binding server.

Port

UDP port number on which the MAC binding server listens for MAC binding query packets.

VPN instance

This field is not supported in the current software version.

MPLS L3VPN where the MAC binding server resides.

Aging time

Aging time in seconds. A MAC-trigger entry is aged out when the aging time expires.

Free-traffic threshold

Free-traffic threshold in bytes. If a user's traffic is below the threshold, the user can access the network without authentication.

NAS-Port-Type

NAS-Port-Type attribute value in RADIUS request packets sent to the RADIUS server.

Binding retry times

Maximum number of attempts for sending MAC binding queries to the MAC binding server.

Binding retry interval

Interval at which the device sends MAC binding queries to the MAC binding server.

Authentication timeout

Maximum amount of time that the device waits for portal authentication to complete after receiving the MAC binding query response.

Excluded attribute list

Numbers of attributes excluded from portal protocol packets.

 

Local-binding

Status of local MAC-trigger authentication:

·     Disabled.

·     Enabled.

Local-binding aging-time

Aging time for local MAC-account binding entries, in minutes.

Cloud-binding

Status of cloud MAC-trigger authentication:

·     Disabled.

·     Enabled.

Cloud server URL

URL of the cloud portal authentication server.

aaa-fail nobinding

Status of the AAA failure unbinding feature:

·     Disabled.

·     Enabled.

 

display portal packet statistics

Use display portal packet statistics to display packet statistics for portal authentication servers and MAC binding servers.

Syntax

display portal packet statistics [ extend-auth-server { cloud | facebook | mail | qq | wechat } | mac-trigger-server server-name | server server-name ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

extend-auth-server: Specifies a third-party authentication server.

cloud: Specifies the Oasis cloud authentication server.

facebook: Specifies the Facebook authentication server.

mail: Specifies the email authentication server.

qq: Specifies the QQ authentication server.

wechat: Specifies the WeChat authentication server.

mac-trigger-server server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify any parameters, this command displays packet statistics for all third-party authentication servers, portal authentication servers, and MAC binding servers.

Examples

# Display packet statistics for portal authentication server pts.

<Sysname> display portal packet statistics server pts

 Portal server :  pts

 Invalid packets: 0

 Pkt-Type                            Total    Drops    Errors

 REQ_CHALLENGE                       3        0        0

 ACK_CHALLENGE                       3        0        0

 REQ_AUTH                            3        0        0

 ACK_AUTH                            3        0        0

 REQ_LOGOUT                          1        0        0

 ACK_LOGOUT                          1        0        0

 AFF_ACK_AUTH                        3        0        0

 NTF_LOGOUT                          1        0        0

 REQ_INFO                            6        0        0

 ACK_INFO                            6        0        0

 NTF_USERDISCOVER                    0        0        0

 NTF_USERIPCHANGE                    0        0        0

 AFF_NTF_USERIPCHAN                  0        0        0

 ACK_NTF_LOGOUT                      1        0        0

 NTF_HEARTBEAT                       0        0        0

 NTF_USER_HEARTBEAT                  2        0        0

 ACK_NTF_USER_HEARTBEAT              0        0        0

 NTF_CHALLENGE                       0        0        0

 NTF_USER_NOTIFY                     0        0        0

 AFF_NTF_USER_NOTIFY                 0        0        0

# Display packet statistics for MAC binding server newpt.

<Sysname> display portal packet statistics mac-trigger-server newpt

 MAC-trigger server: newpt

 Invalid packets: 0

 Pkt-Type                            Total    Drops    Errors

 REQ_MACBIND                         1        0        0

 ACK_MACBIND                         1        0        0

 NTF_MTUSER_LOGON                    1        0        0

 NTF_MTUSER_LOGOUT                   0        0        0

 REQ_MTUSER_OFFLINE                  0        0        0

# Display packet statistics for the cloud authentication server.

<Sysname> display portal packet statistics extend-auth-server cloud

Extend-auth server:  cloud

 Update interval:  60

  Pkt-Type               Success    Error      Timeout    Conn-failure

  REQ_ACCESSTOKEN        1          0          0          0

  REQ_USERINFO           1          0          0          0

  RESP_ACCESSTOKEN       1          0          0          0

  RESP_USERINFO          1          0          0          0

  POST_ONLINEDATA        0          0          0          0

  RESP_ONLINEDATA        0          0          0          0

  POST_OFFLINEUSER       1          0          0          0

  REPORT_ONLINEUSER      1          0          0          0

  REQ_CLOUDBIND          1          0          0          0

  RESP_CLOUDBIND         1          0          0          0

  REQ_BINDUSERINFO       0          0          0          0

  RESP_BINDUSERINFO      0          0          0          0

  AUTHENTICATION         0          1          0          0

Table 14 Command output

Field

Description

Portal server

Name of the portal authentication server.

Invalid packets

Number of invalid packets.

Pkt-Type

Packet type.

Total

Total number of packets.

Drops

Number of dropped packets.

Errors

Number of packets that carry error information.

REQ_CHALLENGE

Challenge request packet the portal authentication server sent to the access device.

ACK_CHALLENGE

Challenge acknowledgment packet the access device sent to the portal authentication server.

REQ_AUTH

Authentication request packet the portal authentication server sent to the access device.

ACK_AUTH

Authentication acknowledgment packet the access device sent to the portal authentication server.

REQ_LOGOUT

Logout request packet the portal authentication server sent to the access device.

ACK_LOGOUT

Logout acknowledgment packet the access device sent to the portal authentication server.

AFF_ACK_AUTH

Affirmation packet the portal authentication server sent to the access device after receiving an authentication acknowledgment packet.

NTF_LOGOUT

Forced logout notification packet the access device sent to the portal authentication server.

REQ_INFO

Information request packet.

ACK_INFO

Information acknowledgment packet.

NTF_USERDISCOVER

User discovery notification packet the portal authentication server sent to the access device.

NTF_USERIPCHANGE

User IP change notification packet the access device sent to the portal authentication server.

AFF_NTF_USERIPCHAN

User IP change success notification packet the portal authentication server sent to the access device.

ACK_NTF_LOGOUT

Forced logout acknowledgment packet the portal authentication server sent to the access device.

NTF_HEARTBEAT

Server heartbeat packet the portal authentication server periodically sent to the access device.

NTF_USER_HEARTBEAT

User synchronization packet the portal authentication server sent to the access device.

ACK_NTF_USER_HEARTBEAT

User synchronization acknowledgment packet the access device sent to the portal authentication server.

NTF_CHALLENGE

Challenge request packet the access device sent to the portal authentication server.

NTF_USER_NOTIFY

User information notification packet the access device sent to the portal authentication server.

AFF_NTF_USER_NOTIFY

NTF_USER_NOTIFY acknowledgment packet the portal authentication server sent to the access device.

MAC-trigger server

Name of the MAC binding server.

REQ MACBIND

MAC binding request packet the access device sent to the MAC binding server.

ACK_MACBIND

MAC binding acknowledgment packet the MAC binding server sent to the access device.

NTF_MTUSER_LOGON

User logon notification packet the access device sent to the MAC binding server.

NTF_MTUSER_LOGOUT

User logout notification packet the access device sent to the MAC binding server.

REQ_MTUSER_OFFLINE

Forced offline request packet the MAC binding server sent to the access device.

Extend-auth server

Type of the third-party authentication server:

·     qq—QQ authentication server.

·     mail—Email authentication server.

·     wechat—WeChat authentication server.

·     cloud—Oasis cloud authentication server.

·     facebook—Facebook authentication server.

Update interval

Interval at which the device sends online user information to the third-party authentication server, in seconds.

This field is displayed only if the type of the third-party authentication server is cloud.

Success

Number of packets that have been successfully sent or received.

Timeout

Number of packets that timed out of establishing a connection to the third-party authentication server.

Conn-failure

Number of packets that failed to establish a connection to the third-party authentication server.

Deny

Number of packets denied access to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is mail.

REQ_ACCESSTOKEN

Access token request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is qq, facebook, cloud or wechat.

REQ_OPENID

Open ID request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is qq.

REQ_USERINFO

User information request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is the qq, facebook, cloud or wechat.

RESP_ACCESSTOKEN

Access token response packet the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is qq, facebook, cloud or wechat.

RESP_OPNEID

Open ID response packet the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is qq.

RESP_USERINFO

User information response packet the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is qq, facebook, cloud or wechat.

REQ_POP3

POP3 authentication request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is mail.

REQ_IMAP

IMAP authentication request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is mail.

POST_ONLINEDATA

Cloud user information request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

RESP_ONLINEDATA

Cloud user information response packet the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

POST_OFFLINEUSER

Cloud user offline packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud or wechat.

REPORT_ONLINEUSER

Cloud user online packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud or wechat.

REQ_CLOUDBIND

Cloud user binding status query request that the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

RESP_CLOUDBIND

Cloud user binding status query response that the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

REQ_BINDUSERINFO

Cloud user information request packet that the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

RESP_BINDUSERINFO

Cloud user information response packet that the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

AUTHENTICATION

Result of third-party authentication.

 

Related commands

reset portal packet statistics

display portal permit-rule statistics

Use display portal permit-rule statistics to display statistics for portal permit rules.

Syntax

display portal permit-rule statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

Portal permit rules refer to category 1 and category 2 portal filtering rules, which permit user packets to pass.

Examples

# Display statistics for portal permit rules.

<Sysname> display portal permit-rule statistics

Interface             Free rules           Fuzzy rules            User rules

Vlan-interface30      2                    5                      10

Vlan-interface30      2                    3                      6

Table 15 Command output

Field

Description

Interface

Interface on which portal permit rules are used.

Free rules

Number of permit rules generated based on configured portal-free rules, excluding permit rules generated based on fuzzy matches of destination-based portal-free rules.

Fuzzy rules

Number of permit rules generated based on fuzzy matches of destination-based portal-free rules.

User rules

Number of permit rules generated after portal users pass authentication.

 

display portal redirect session

Use display portal redirect session to display redirect session statistics for online portal users.

Syntax

In standalone mode:

display portal redirect session [ ip ipv4-address | ipv6 ipv6-address ]

In IRF mode:

display portal redirect session [ ip ipv4-address | ipv6 ipv6-address ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ipv4-address: Specifies a portal user by its IPv4 address.

ipv6 ipv6-address: Specifies a portal user by its IPv6 address.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays redirect session statistics for online portal users on all member devices. (In IRF mode.)

Usage guidelines

If you do not specify an IPv4 or IPv6 portal user, this command displays redirect session statistics for all online portal users.

Examples

# (In standalone mode.) Display redirect session statistics for all online portal users.

<Sysname> display portal redirect session

Total HTTP sessions: 40

Total HTTP rejected: 18

Total HTTPS sessions: 40

Total HTTPS rejected: 80

IP: 192.168.0.1

  HTTP sessions: 20

  HTTP rejected: 10

  HTTPS sessions: 20

  HTTPS rejected: 40

IP: 192.168.0.2

  HTTP sessions: 20

  HTTP rejected: 8

  HTTPS sessions: 20

  HTTPS rejected: 40

# (In IRF mode.) Display redirect session statistics for all online portal users on the specified slot.

<Sysname> display portal redirect session slot 0

Total HTTP sessions: 40

Total HTTP rejected: 18

Total HTTPS sessions: 40

Total HTTPS rejected: 80

IP: 192.168.0.1

  HTTP sessions: 20

  HTTP rejected: 10

  HTTPS sessions: 20

  HTTPS rejected: 40

IP: 192.168.0.2

  HTTP sessions: 20

  HTTP rejected: 8

  HTTPS sessions: 20

  HTTPS rejected: 40

# (In standalone mode.) Display redirect session statistics for online portal user at 192.168.0.2.

<Sysname> display portal redirect session ip 192.168.0.2

IP: 192.168.0.2

  HTTP sessions: 128

  HTTP rejected: 10

  HTTPS sessions: 0

  HTTPS rejected: 0

# (In IRF mode.) Display redirect session statistics for online portal user at 192.168.0.2 on the specified slot.

<Sysname> display portal redirect session ip 192.168.0.2 slot 0

IP: 192.168.0.2

  HTTP sessions: 128

  HTTP rejected: 10

  HTTPS sessions: 0

  HTTPS rejected: 0

Table 16 Command output

Field

Description

Total HTTP sessions

Total number of HTTP redirect sessions.

Total HTTP rejected

Total number of discarded HTTP redirect session requests.

Total HTTPS sessions

Total number of HTTPS redirect sessions.

Total HTTPS rejected

Total number of discarded HTTPS redirect session requests.

IP

IP address of the online portal user.

HTTP sessions

Number of HTTP redirect sessions for the user.

HTTP rejected

Number of discarded HTTP redirect session requests for the user.

HTTPS sessions

Number of HTTPS redirect sessions for the user.

HTTPS rejected

Number of discarded HTTPS redirect session requests for the user.

 

Related commands

portal redirect max-session

portal redirect max-session per-user

display portal redirect session-record

Use display portal redirect session-record to display history records about portal redirect sessions.

Syntax

In standalone mode:

display portal redirect session-record [ start-time start-date start-time ] [ end-time end-date end-time ]

In IRF mode:

display portal redirect session-record [ start-time start-date start-time ] [ end-time end-date end-time ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

start-time start-date start-time: Specifies the start time of a time range. The start date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time must be in the format of hh:mm. The value range for the start time is 00:00 to 23:59. If you do not specify a start time, the time range starts when portal authentication was enabled.

end-time end-date end-time: Specifies the end time of a time range. The end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The end time must be in the format of hh:mm. The value range for the end time is 00:00 to 23:59. If you do not specify an end time, the time range ends with the current time.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays history records about portal redirect sessions on all member devices. (In IRF mode.)

Usage guidelines

The device records statistics about portal redirect sessions on a per minute basis since portal authentication is enabled. The device only keeps records generated within the most recent 24 hours. Twenty-four hours later, a new record will override the oldest record.

Examples

# (In standalone mode.) Display history records about portal redirect sessions in the time range from 2019/3/20 14:40 to now.

<Sysname> display portal redirect session-record start-time 2019/3/20 14:40

 

Time               HTTP sessions  HTTP rejected  HTTPS sessions  HTTPS rejected

2019/03/20 14:40   1              0              21              1

2019/03/20 14:41   2              0              21              1

2019/03/20 14:42   13             1              31              1

2019/03/20 14:43   14             1              0               0

# (In IRF mode.) Display history records about portal redirect sessions in the time range from 2019/3/20 14:40 to now.

<Sysname> display portal redirect session-record start-time 2019/3/20 14:40 slot 0

 

Time               HTTP sessions  HTTP rejected  HTTPS sessions  HTTPS rejected

2019/03/20 14:40   1              0              21              1

2019/03/20 14:41   2              0              21              1

2019/03/20 14:42   13             1              31              1

2019/03/20 14:43   14             1              0               0

Table 17 Command output

Field

Description

Time

Time when the record was generated.

HTTP sessions

Number of HTTP redirect sessions for all portal users.

HTTP rejected

Number of discarded HTTP redirect session requests for all portal users.

HTTPS sessions

Number of HTTPS redirect sessions for all portal users.

HTTPS rejected

Number of discarded HTTPS redirect session requests for all portal users.

 

Related commands

reset portal redirect session-record

display portal redirect session-statistics

Use display portal redirect session-statistics to display summary statistics about portal redirect sessions.

Syntax

In standalone mode:

display portal redirect session-statistics

In IRF mode:

display portal redirect session-statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays summary statistics about portal redirect sessions on all member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display summary statistics about portal redirect sessions.

<Sysname> display portal redirect session-statistics

  HTTP sessions  HTTP rejected  HTTPS sessions  HTTPS rejected

  30             2              73              3

# (In IRF mode.) Display summary statistics about portal redirect sessions on the specified slot.

<Sysname> display portal redirect session-statistics slot 0

  HTTP sessions  HTTP rejected  HTTPS sessions  HTTPS rejected

  30             2              73              3

Table 18 Command output

Field

Description

HTTP sessions

Number of HTTP redirect sessions for all portal users.

HTTP rejected

Number of rejected HTTP redirect session requests for all portal users.

HTTPS sessions

Number of HTTPS redirect sessions for all portal users.

HTTPS rejected

Number of rejected HTTPS redirect session requests for all portal users.

 

Related commands

reset portal redirect session-statistics

display portal redirect statistics

Use display portal redirect statistics to display portal redirect packet statistics.

Syntax

In standalone mode:

display portal redirect statistics

In IRF mode:

display portal redirect statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays portal redirect packet statistics on all member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display portal redirect packet statistics.

<Sysname> display portal redirect statistics

 HTTP requests  HTTP responses  HTTPS requests  HTTPS responses

 1              1               1               1

# (In IRF mode.) Display portal redirect packet statistics on the specified slot.

<Sysname> display portal redirect statistics slot 1

 HTTP requests  HTTP responses  HTTPS requests  HTTPS responses

 1              1               1               1

Table 19 Command output

Field

Description

HTTP requests

Total number of HTTP redirect requests.

HTTP responses

Total number of HTTP redirect responses.

HTTPS requests

Total number of HTTPS redirect requests.

HTTPS responses

Total number of HTTPS redirect responses.

 

Related commands

reset portal redirect statistics

display portal roaming-center statistics packet

Use display portal roaming-center statistics packet to display packet statistics for the portal roaming center.

Syntax

display portal roaming-center statistics packet

The following compatibility matrix shows the support of hardware platforms for this command:

 

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

No

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

No

WX3000H series

WX3010H

WX3010H-X

WX3010H-L

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

No

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

Yes:

·     WX3510H

·     WX3520H

·     WX3540H

·     WX3520H-F

No: WX3508H

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

Yes

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

Yes:

·     LSQM1WCMX40

·     LSUM1WCMX40RT

No:

·     LSUM1WCME0

·     EWPXM1WCME0

·     LSQM1WCMX20

·     LSUM1WCMX20RT

·     EWPXM2WCMD0F

·     EWPXM1MAC0F

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

EWP-WX1840H-GL

No

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

Yes

WX5800H series

WX5860H

EWP-WX5860H-GL

Yes

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display packet statistics for the portal roaming center.

<Sysname> display portal roaming-center statistics packet

Total sent packets: 0

Total received packets: 0

Invalid packets: 0

Pkt-Type                   Success                  Failed             Timeout

RC_REQ_INFO                1                        1                  0

RC_ACK_INFO                1                        2                  1

RC_REQ_ONLINE              1                        2                  0

RC_ACK_ONLINE              1                        1                  1

RC_REQ_OFFLINE             1                        1                  0

RC_ACK_OFFLINE             1                        1                  1

RC_REQ_DHCPINFO            1                        1                  1

RC_ACK_DHCPINFO            1                        1                  1

RC_REQ_NTY_OFFLINE         1                        1                  0

RC_ACK_NTY_OFFLINE         1                        1                  1

Table 20 Command output

Field

Description

Total sent packets

Total number of packets that the portal roaming center sent to the WLAN roaming center.

Total received packets

Total number of packets that the portal roaming center received from the WLAN roaming center.

Invalid packets

Total number of incoming invalid packets.

Pkt-Type

Type of the packet:

·     RC_REQ_INFO—User query request that the portal roaming center sends to the WLAN roaming center.

·     RC_ACK_INFO—User query response that the WLAN roaming center sends to the portal roaming center.

·     RC_REQ_ONLINE—User online packet that the portal roaming center sends to the WLAN roaming center.

·     RC_ACK_ONLINE—User online response that the WLAN roaming center sends to the portal roaming center.

·     RC_REQ_OFFLINE—User offline packet that the portal roaming center sends to the WLAN roaming center.

·     RC_ACK_OFFLINE—User offline response that the WLAN roaming center sends to the portal roaming center.

·     RC_REQ_DHCPINFO—User DHCP information packet that the portal roaming center sends to the WLAN roaming center.

·     RC_ACK_DHCPINFO—User DHCP information response that the WLAN roaming center sends to the portal roaming center.

·     RC_REQ_NTY_OFFLINE—User offline packet that the WLAN roaming center sends to the portal roaming center.

·     RC_ACK_NTY_OFFLINE—User offline response that the portal roaming center sends to the WLAN roaming center.

Success

Total number of packets that have been successfully transmitted from the portal roaming center to the WLAN roaming center.

NOTE:

·     For RC_REQ_DHCPINFO packets, this field counts all the user DHCP information packets successfully exchanged between the portal roaming center and the WLAN roaming center.

·     For RC_ACK_DHCPINFO packets, this field counts all the user DHCP information responses successfully exchanged between the portal roaming center and the WLAN roaming center.

Failed

Total number of packets that failed to be transmitted from the portal roaming center to the WLAN roaming center.

NOTE:

·     For RC_REQ_DHCPINFO packets, this field counts all the user DHCP information packets that failed to be exchanged between the portal roaming center and the WLAN roaming center.

·     For RC_ACK_DHCPINFO packets, this field counts all the user DHCP information responses that failed to be exchanged between the portal roaming center and the WLAN roaming center.

Timeout

Number of times that the packet transmission timed out.

 

Related commands

reset portal roaming-center statistics packet

display portal rule

Use display portal rule to display portal filtering rules.

Syntax

In standalone mode:

display portal rule { all | dynamic | static } { ap ap-name [ radio radio-id ] | interface interface-type interface-number }

In IRF mode:

display portal rule { all | dynamic | static } { ap ap-name [ radio radio-id ] | interface interface-type interface-number [ slot slot-number ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all portal filtering rules, including dynamic and static portal filtering rules.

dynamic: Displays dynamic portal filtering rules, which are generated after users pass portal authentication. These rules allow packets with specific source IP addresses to pass the interface.

static: Displays static portal filtering rules, which are generated after portal authentication is enabled. The interface filters packets by these rules when portal authentication is enabled.

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays portal filtering rules for all radios of the AP.

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays portal filtering rules on all member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display all portal filtering rules on AP ap1.

<Sysname> display portal rule all ap ap1

Slot 1:

IPv4 portal rules on ap1:

Radio ID : 1

SSID     : portal

Rule 1:

 Type                : Static

 Action              : Forbid

 Protocol            : Any

 Status              : Active

 Source:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : Any

    SSID           : portal

    Interface      : WLAN-BSS1/0/1

Destination:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : Any

 

Rule 2:

 Type                : Static

 Action              : Permit

 Protocol            : Any

 Status              : Active

 Source:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Port      : 23

    MAC       : 0000-0000-0000

    Interface : WLAN-BSS1/0/1

    VLAN      : any

 Destination:

    IP        : 192.168.0.111

    Mask      : 255.255.255.255

    Port      : Any

 

Rule 3:

 Type                : Dynamic

 Action              : Permit

 Status              : Active

 Source:

    IP        : 2.2.2.2

    MAC       : 000d-88f8-0eab

    Interface : WLAN-BSS1/0/1

    VLAN      : 2

 Author ACL:

    Number    : N/A

 

Rule 4:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Interface : WLAN-BSS1/0/1

    VLAN      : any

    Protocol  : TCP

 Destination:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Port      : 80

 

Rule 5:

 Type                : Static

 Action              : Deny

 Status              : Active

 Source:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Interface : WLAN-BSS1/0/1

    VLAN      : Any

 Destination:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

# (In IRF mode.) Display all portal filtering rules on AP ap1.

<Sysname> display portal rule all ap ap1

Slot 1:

IPv4 portal rules on ap1:

Radio ID : 1

SSID     : portal

Rule 1:

 Type                : Static

 Action              : Forbid

 Protocol            : Any

 Status              : Active

 Source:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : Any

    SSID           : portal

    Interface      : WLAN-BSS1/0/1

Destination:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : Any

 

Rule 2:

 Type                : Static

 Action              : Permit

 Protocol            : Any

 Status              : Active

 Source:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Port      : 23

    MAC       : 0000-0000-0000

    Interface : WLAN-BSS1/0/1

    VLAN      : any

 Destination:

    IP        : 192.168.0.111

    Mask      : 255.255.255.255

    Port      : Any

 

Rule 3:

 Type                : Dynamic

 Action              : Permit

 Status              : Active

 Source:

    IP        : 2.2.2.2

    Mask      : 255.255.255.255

    MAC       : 000d-88f8-0eab

    Interface : WLAN-BSS1/0/1

    VLAN      : 2

Author ACL:

    Number    : N/A

 

Rule 4:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Interface : WLAN-BSS1/0/1

    VLAN      : any

    Protocol  : TCP

 Destination:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Port      : 80

 

Rule 5:

 Type                : Static

 Action              : Deny

 Status              : Active

 Source:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Interface : WLAN-BSS1/0/1

    VLAN      : Any

 Destination:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

Table 21 Command output

Field

Description

Radio ID

ID of the radio.

SSID

Service set identifier.

Rule

Number of the portal rule. IPv4 portal filtering rules and IPv6 portal filtering rules are numbered separately.

Type

Type of the portal filtering rule:

·     Static—Static portal rule.

·     Dynamic—Dynamic portal rule.

Action

Action triggered by the portal filtering rule:

·     Permit—The interface allows packets to pass.

·     Forbid—The interface forbids packets to pass.

·     Redirect—The interface redirects packets.

·     Deny—The interface denies packets.

·     Match pre-auth ACL—The interface matches packets against the authorized ACL rules in the preauthentication domain.

Protocol

Transport layer protocol permitted by the portal filtering rule:

·     Any—Permits any transport layer protocol.

·     TCP—Permits TCP.

·     UDP—Permits UDP.

Status

Status of the portal filtering rule:

·     Active—The portal rule is effective.

·     Unactuated—The portal rule is not activated.

Source

Source information of the portal filtering rule.

IP

Source IPv4 or IPv6 address.

If the IPv6 address of a portal user changes after the user has come online, this field displays colons (::). This value indicates that no IP address is specified in the portal filtering rule.

Mask

Subnet mask of the source IPv4 address.

Prefix length

Prefix length of the source IPv6 address.

Port

Source transport layer port number.

MAC

Source MAC address.

SSID

Source SSID.

This field is displayed only if an SSID is specified in the portal-forbidden rule configured by using the portal forbidden-rule command.

Interface

Layer 2 or Layer 3 interface on which the portal rule is implemented.

VLAN

Source VLAN ID.

Protocol

Transport layer protocol of the portal redirect rule. This field always displays TCP.

Destination

Destination information of the portal filtering rule.

IP

Destination IP address.

Port

Destination transport layer port number.

Mask

Subnet mask of the destination IPv4 address.

Prefix length

Prefix length of the destination IPv6 address.

Author ACL

Authorized ACL assigned to authenticated portal users. This field is displayed only for a dynamic portal filtering rule.

Pre-auth ACL

Authorized ACL assigned to preauthentication portal users. This field is displayed only for the Match pre-auth ACL action.

Number

Number of the authorized ACL. This field displays N/A if the AAA server does not assign an ACL.

 

display portal safe-redirect statistics

Use display portal safe-redirect statistics to display portal safe-redirect packet statistics.

Syntax

In standalone mode:

display portal safe-redirect statistics

In IRF mode:

display portal safe-redirect statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays statistics on all member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display portal safe-redirect packet statistics.

<Sysname> display portal safe-redirect statistics

Redirect statistics:

  Success: 5

  Failure: 6

  Total: 11

 

Method statistics:

  Get: 6

  Post: 2

  Others: 3

 

Default-action statistics:

  Permit: 1

  Forbid: 0

 

User agent statistics:

  Safari: 3

  Chrome: 2

 

Forbidden User URL statistics:

  http://www.abc.com: 0

 

Forbidden filename extension statistics:

.jpg: 0

# (In IRF mode.) Display portal safe-redirect packet statistics on the specified slot.

<Sysname> display portal safe-redirect statistics slot 1

Slot 1:

Redirect statistics:

  Success: 7

  Failure: 8

  Total  : 15

 

Method statistics:

  Get    : 11

  Post   : 1

  Others : 3

 

Default-action statistics:

  Permit: 1

  Forbid: 0

 

User agent statistics:

  Safari: 3

  Chrome: 2

 

Forbidden User URL statistics:

  www.qq.com: 4

 

Forbidden filename extension statistics:

  .jpg: 0

Table 22 Command output

Field

Description

Success

Number of packets redirected successfully.

Failure

Number of packets failed redirection.

Total

Total number of packets.

Method statistics

Statistics of HTTP request methods.

Get

Number of packets with the GET request method.

Post

Number of packets with the POST request method.

Other

Number of packets with other request methods.

User agent statistics

Browser types (in HTTP User Agent) allowed by portal safe-redirect, and packet statistics for the browsers.

Forbidden URL statistics

URLs forbidden by portal safe-redirect, and statistics for packets dropped by forbidden URL filtering.

Forbidden filename extension statistics

Filename extensions forbidden by portal safe-redirect, and statistics for packets dropped by forbidden filename extension filtering.

Permit user URL statistics

URLs permitted by portal safe-redirect, and packet statistics for the URLs.

Default-action statistics

Statistics on packets processed by the default actions of portal safe-redirect.

 

Related commands

reset portal safe-redirect statistics

display portal server

Use display portal server to display information about portal authentication servers.

Syntax

display portal server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify the server-name argument, this command displays information about all portal authentication servers.

Examples

# Display information about portal authentication server pts.

<Sysname> display portal server pts

Portal server: pts

  Type                  : IMC

  IP                    : 192.168.0.111

  VPN instance          : Not configured

  Port                  : 50100

  Server detection      : Timeout 60s  Action: log, trap

  User synchronization  : Timeout 200s

  Status                : Up

  Exclude-attribute     : Not configured

  Logout notification   : Retry 3 interval 5s

Table 23 Command output

Field

Description

Type

Portal authentication server type:

·     CMCC—CMCC server.

·     IMC—IMC server.

Portal server

Name of the portal authentication server.

IP

IP address of the portal authentication server.

VPN instance

This field is not supported in the current software version.

MPLS L3VPN where the portal authentication server resides.

Port

Listening port on the portal authentication server.

Server detection

Parameters for portal authentication server detection:

·     Detection timeout in seconds.

·     Actions (log and trap) triggered by the reachability status change of the portal authentication server.

User synchronization

User idle timeout in seconds for portal user synchronization.

Status

Reachability status of the portal authentication server:

·     Up—This value indicates one of the following conditions:

¡     Portal authentication server detection is disabled.

¡     Portal authentication server detection is enabled and the server is reachable.

·     Down—Portal authentication server detection is enabled and the server is unreachable.

Exclude-attribute

Attributes that are not carried in portal protocol packets sent to the portal authentication server.

Logout-notification

Maximum number of times and the interval (in seconds) for retransmitting a logout notification packet.

 

Related commands

portal enable

portal server

server-detect (portal authentication server view)

user-sync

display portal user

Use display portal user to display information about portal users.

Syntax

display portal user { all | ap ap-name [ radio radio-id ] | auth-type { cloud | email | facebook | local | mac-trigger | normal | qq | wechat } | interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address | mac mac-address | pre-auth [ interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address ] | username username } [ brief | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6: Specifies an IPv6 access group. If you do not specify this keyword, the command displays information about portal users in the IPv4 access group.

all: Displays information about all portal users.

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays information about portal users for all radios of the AP.

auth-type: Specifies an authentication type.

cloud: Specifies the cloud authentication (a cloud portal authentication server performs portal authentication on portal users).

email: Specifies the email authentication.

facebook: Specifies the Facebook authentication.

local: Specifies the local authentication (a local portal authentication server performs portal authentication on portal users).

mac-trigger: Specifies the MAC-trigger authentication.

normal: Specifies the normal authentication (a remote portal authentication server performs portal authentication on portal users).

qq: Specifies QQ authentication.

wechat: Specifies WeChat authentication.

interface interface-type interface-number: Displays information about portal users on the specified interface.

ip ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

mac mac-address: Specifies the MAC address of a portal user, in the format of H-H-H.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

pre-auth: Displays information about preauthentication portal users. A preauthentication user is a user who is authorized with the authorization attributes in a preauthentication domain before portal authentication. If you do not specify the pre-auth keyword, this command displays information about authenticated portal users.

brief: Displays brief information about portal users.

verbose: Displays detailed information about portal users.

Usage guidelines

If you specify neither the brief nor the verbose keyword, this command displays portal authentication-related information for portal users.

Examples

# Display information about all portal users.

<Sysname> display portal user all

Total portal users: 1

Username: def

  AP name: ap1

  Radio ID: 1

  SSID: portal

  Portal server: pts

  State: Online

  VPN instance: vpn1

  MAC                IP                 VLAN   Interface

  000d-88f8-0eac     4.4.4.4            2      Bss1/2

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    Session group profile: N/A

    ACL number/name: 3000 (active, AAA)

    Inbound CAR: CIR 9000       bps PIR 20500      bps

                 CBS 20500      bit (active, AAA)

    Outbound CAR: CIR 9000       bps PIR 20400      bps

                  CBS 20400      bit (active, AAA)

# Display information about portal users whose authentication type is normal authentication.

<Sysname> display portal user auth-type normal

Total remote users: 1

Username: abc

  Portal server: pts

  State: Online

  VPN instance: N/A

  MAC                IP                 VLAN   Interface

  000d-88f8-0eab     2.2.2.2            2      WLAN-BSS1/0/1

  Authorization information:

    DHCP IP pool: N/A

    User profile: abc (active, OAuth)

    Session group profile: cd (inactive, OAuth)

    ACL number/name: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

# Display information about the portal user whose MAC address is 000d-88f8-0eab.

<Sysname> display portal user mac 000d-88f8-0eab

Username: abc

  Portal server: pts

  State: Online

  VPN instance: N/A

  MAC                IP                 VLAN   Interface

  000d-88f8-0eab     2.2.2.2            2      WLAN-BSS1/0/1

  Authorization information:

    DHCP IP pool: N/A

    User profile: abc (active, OAuth)

    Session group profile: cd (inactive, AAA)

    ACL number/name: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

# Display information about the portal user whose username is abc.

<Sysname> display portal user username abc

Username: abc

  Portal server: pts

  State: Online

  VPN instance: N/A

  MAC                IP                 VLAN   Interface

  000d-88f8-0eab     2.2.2.2            2      WLAN-BSS1/0/1

  Authorization information:

    DHCP IP pool: N/A

    User profile: abc (active, OAuth)

    Session group profile: cd (inactive, OAuth)

    ACL number/name: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

Table 24 Command output

Field

Description

Total portal users

Total number of portal users.

Total normal users

Total number of portal users whose authentication type is normal authentication.

Total local users

Total number of portal users whose authentication type is local authentication.

Total email users

Total number of portal users whose authentication type is email authentication.

Total cloud users

Total number of portal users whose authentication type is cloud authentication.

Total QQ users

Total number of portal users whose authentication type is QQ authentication.

Total WeChat users

Total number of portal users whose authentication type is WeChat authentication.

Total facebook users

Total number of portal users whose authentication type is Facebook authentication.

Total MAC-trigger users

Total number of portal users whose authentication type is MAC-trigger authentication.

Username

Name of the user.

Portal server

Name of the portal authentication server.

State

Current state of the portal user:

·     Initialized—The user is initialized and ready for authentication.

·     Authenticating—The user is being authenticated.

·     Waiting SetRule—Deploying portal rules to the user.

·     Authorizing—The user is being authorized.

·     Online—The user is online.

·     Waiting Traffic—Waiting for traffic from the user.

·     Stop Accounting—Stopping accounting for the user.

·     Done—The user is offline.

VPN instance

This field is not supported in the current software version.

MPLS L3VPN the portal user belongs to. If the portal user is on a public network, this field displays N/A.

MAC

MAC address of the portal user.

IP

IP address of the portal user.

VLAN

VLAN where the portal user resides.

Interface

Access interface of the portal user.

Authorization information

Authorization information for the portal user.

DHCP IP pool

Name of the authorized IP address pool. If no IP address pool is authorized for the portal user, this field displays N/A.

User profile

Authorized user profile:

·     N/A—No user profile is authorized.

·     active, AAA—The AAA server has authorized the user profile successfully.

·     inactive, AAA—The AAA server failed to authorize the user profile or the user profile does not exist on the device.

·     active, OAuth—The OAuth server has authorized the user profile successfully.

·     inactive, OAuth—The OAuth server failed to authorize the user profile.

Session group profile

This field is not supported in the current software version.

Authorized session group profile:

·     N/A—No session group profile is authorized.

·     active, AAA—The AAA server has authorized the session group profile successfully.

·     inactive, AAA—The AAA server failed to authorize the session group profile or the session group profile does not exist on the device.

·     active, OAuth—The OAuth server has authorized the session group profile successfully.

·     inactive, OAuth—The OAuth server failed to authorize the session group profile.

ACL number/name

Number or name of the authorized ACL:

·     N/A—No ACL is authorized.

·     active, AAA—The AAA server has authorized the ACL successfully.

·     inactive, AAA—The AAA server failed to authorize the ACL or the ACL does not exist on the device.

·     active, OAuth—The OAuth server has authorized the ACL successfully.

·     inactive, OAuth—The OAuth server failed to authorize the ACL.

Inbound CAR

Authorized inbound CAR information:

·     N/A—No inbound CAR is authorized.

·     CIR—Committed information rate in bps.

·     PIR—Peak information rate in bps.

·     CBS—Committed burst size in bits.

·     active, AAA—The AAA server has authorized the inbound CAR successfully.

·     inactive, AAA—The AAA server failed to authorize the inbound CAR.

·     active, OAuth—The OAuth server has authorized the inbound CAR successfully.

·     inactive, OAuth—The OAuth server failed to authorize the inbound CAR.

Outbound CAR

Authorized outbound CAR information:

·     N/A—No outbound CAR is authorized.

·     CIR—Committed information rate in bps.

·     PIR—Peak information rate in bps.

·     CBS—Committed burst size in bits.

·     active, AAA—The AAA server has authorized the outbound CAR successfully.

·     inactive, AAA—The AAA server failed to authorize the outbound CAR.

·     active, OAuth—The OAuth server has authorized the outbound CAR successfully.

·     inactive, OAuth—The OAuth server failed to authorize the outbound CAR.

 

# Display detailed information about the portal user whose IP address is 18.18.0.20.

<Sysname> display portal user ip 18.18.0.20 verbose

Basic:

AP name: ap1

  Radio ID: 1

  SSID: portal

  Current IP address: 18.18.0.20

  Original IP address: 18.18.0.20

  Username: chap1

  User ID: 0x10000001

  Access interface: WLAN_BSS1/0/1

  Service-VLAN/Customer-VLAN: 50/-

  MAC address: 7854-2e1c-c59e

  Authentication type: Normal

  Domain name: portal

  VPN instance: N/A

  Status: Online

  Portal server: pt

  Vendor: Apple

  Portal authentication method: Direct

AAA:

  Realtime accounting interval: 720s, retry times: 5

  Idle cut: N/A

  Session duration: 0 sec, remaining: 0 sec

  Remaining traffic: N/A

  Online duration (hh:mm:ss): 1:53:7

  Login time: 2014-12-25 10:47:53 UTC

  DHCP IP pool: N/A

ACL&QoS&Multicast:

  Inbound CAR: N/A

  Outbound CAR: N/A

  ACL number/name: N/A

  User profile: N/A

  Session group profile: N/A

  Max multicast addresses: 4

Traffic statistic:

  Uplink packets/bytes: 6/412

  Downlink packets/bytes: 0/0

Dual-stack traffic statistics:

  IPv4 address: 18.18.0.20

            Uplink   packets/bytes: 3/200

            Downlink packets/bytes: 0/0

  IPv6 address: 2001::2

            Uplink   packets/bytes: 3/212

            Downlink packets/bytes: 0/0

Table 25 Command output

Field

Description

Current IP address

IP address of the portal user after passing authentication.

Original IP address

IP address of the portal user during authentication.

Username

Name of the portal user.

User ID

Portal user ID.

Access interface

Access interface of the portal user.

Service-VLAN/Customer-VLAN

Public VLAN/Private VLAN to which the portal user belongs. If no VLAN is configured for the portal user, this field displays -/-.

MAC address

MAC address of the portal user.

Authentication type

Type of portal authentication:

·     Normal—Normal authentication.

·     Local—Local authentication.

·     Email—Email authentication.

·     Cloud—Cloud authentication.

·     QQ—QQ authentication.

·     WeChat—WeChat authentication.

·     Facebook—Facebook authentication.

·     MAC-trigger—MAC-trigger authentication.

Domain

ISP domain name for portal authentication.

VPN instance

This field is not supported in the current software version.

MPLS L3VPN to which the portal user belongs. If the portal user is on a public network, this field displays N/A.

Status

Status of the portal user:

·     Authenticating—The user is being authenticated.

·     Authorizing—The user is being authorized.

·     Waiting SetRule—Deploying portal rules to the user.

·     Online—The user is online.

·     Waiting Traffic—Waiting for traffic from the user.

·     Stop Accounting—Stopping accounting for the user.

·     Done—The user is offline.

Portal server

Name of the portal server.

Vendor

Vendor name of the endpoint.

Portal authentication method

Portal authentication method on the access interface.

The value Direct indicates direct authentication.

AAA

AAA information about the portal user.

Realtime accounting interval

Interval for sending real-time accounting updates, and the maximum number of accounting attempts. If the real-time accounting is not authorized, this field displays N/A.

Idle-cut

Idle timeout period and the minimum traffic threshold. If idle-cut is not authorized, this field displays N/A.

Session duration

Session duration and the remaining session time. If the session duration is not authorized, this field displays N/A.

Remaining traffic

Remaining traffic for the portal user. If the remaining traffic is not authorized, this field displays N/A.

Login time

Time when the user logged in. The field uses the device time format, for example, 2023-1-19  2:42:30 UTC.

ITA policy name

Name of the intelligent target accounting policy.

DHCP IP pool

Authorized DHCP IP address pool. If no DHCP IP address pool is authorized for the portal user, this field displays N/A.

Inbound CAR

Authorized inbound CAR information:

·     N/A—No inbound CAR is authorized.

·     CIR—Committed information rate in bps.

·     PIR—Peak information rate in bps.

·     CBS—Committed burst size in bits.

·     active, AAA—The AAA server has authorized the inbound CAR successfully.

·     inactive, AAA—The AAA server failed to authorize the inbound CAR.

·     active, OAuth—The OAuth server has authorized the inbound CAR successfully.

·     inactive, OAuth—The OAuth server failed to authorize the inbound CAR.

Outbound CAR

Authorized outbound CAR information:

·     N/A—No outbound CAR is authorized.

·     CIR—Committed information rate in bps.

·     PIR—Peak information rate in bps.

·     CBS—Committed burst size in bits.

·     active, AAA—The AAA server has authorized the outbound CAR successfully.

·     inactive, AAA—The AAA server failed to authorize the outbound CAR.

·     active, OAuth—The OAuth server has authorized the outbound CAR successfully.

·     inactive, OAuth—The OAuth server failed to authorize the outbound CAR.

ACL number/name

Number or name of the authorized ACL:

·     N/A—No ACL is authorized..

·     active, AAA—The AAA server has authorized the ACL successfully.

·     inactive, AAA—The AAA server failed to authorize the ACL or the ACL does not exist on the device.

·     active, OAuth—The OAuth server has authorized the ACL successfully.

·     inactive, OAuth—The OAuth server failed to authorize the ACL.

User profile

Authorized user profile:

·     N/A—No user profile is authorized.

·     active, AAA—The AAA server has authorized the user profile successfully.

·     inactive, AAA—The AAA server failed to authorize the user profile or the user profile does not exist on the device.

·     active, OAuth—The OAuth server has authorized the user profile successfully.

·     inactive, OAuth—The OAuth server failed to authorize the user profile.

Session group profile

This field is not supported in the current software version.

Authorized session group profile:

·     N/A—No session group profile is authorized.

·     active, AAA—The AAA server has authorized the session group profile successfully.

·     inactive, AAA—The AAA server failed to authorize the session group profile or the session group profile does not exist on the device.

·     active, OAuth—The OAuth server has authorized the session group profile successfully.

·     inactive, OAuth—The OAuth server failed to authorize the session group profile.

Max multicast addresses

Maximum number of multicast groups the portal user can join.

Multicast address list

Multicast group list the portal user can join. If no multicast group is authorized, this field displays N/A.

Traffic statistic

Traffic statistics for the portal user.

Uplink packets/bytes

Packet and byte statistics of the upstream traffic.

Downlink packets/bytes

Packet and byte statistics of the downstream traffic.

ITA

ITA statistics for the portal user.

level-n uplink packets/bytes

Packet and byte statistics of the upstream traffic in accounting level n. Number n is in the range of 1 to 8.

level-n downlink packets/bytes

Packet and byte statistics of the downstream traffic in accounting level n. Number n is in the range of 1 to 8.

Dual-stack traffic statistic

IPv4 and IPv6 traffic statistics for the dual-stack user.

IPv4 address

IPv4 address of the portal user.

IPv6 address

IPv6 address of the portal user.

Uplink packets/bytes

Packet and byte statistics of the upstream traffic.

Downlink packets/bytes

Packet and byte statistics of the downstream traffic.

 

# Display brief information about all portal users.

<Sysname> display portal user all brief

IP address       MAC address       Online duration       Username

4.4.4.4          000d-88f8-0eac    1:53:7                def

Table 26 Command output

Field

Description

IP address

IP address of the portal user.

MAC address

MAC address of the portal user.

Online duration

Online duration of the portal user, in hh:ss:mm.

Username

Username of the portal user.

 

Related commands

portal enable

display portal user count

Use display portal user count to display the number of portal users.

Syntax

display portal user count

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the number of portal users.

<Sysname> display portal user count

Total number of users: 1

Related commands

portal enable

portal delete-user

display portal web-server

Use display portal web-server to display information about portal Web servers.

Syntax

display portal web-server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters. If you do not specify a portal Web server, this command displays information about all portal Web servers.

Examples

# Display information about portal Web server wbs.

<Sysname> display portal web-server wbs

Portal Web server: wbs

    Type IMC

    URL: http://www.test.com/portal

    URL parameters: userurl=http://www.test.com/welcome

                    userip=source-address

    VPN instance: Not configured

    Server detection:

      Interval: 120s

      Attempts: 5

      Action: log, trap

      Detection URL: http://www.test.com/portal

      Detection type: TCP

    IPv4 status: Up

    IPv6 status: Up

    Captive-bypass: Disabled

    If-match: original-url:  http://2.2.2.2, redirect-url:  http://192.168.56.2

              original-url:   http://1.1.1.1, temp-pass redirect-url:

              http://192.168.1.1

Table 27 Command output

Field

Description

Type

Portal Web server type:

·     CMCC—CMCC server.

·     IMC—IMC server.

Portal Web server

Name of the portal Web server.

URL

URL of the portal Web server.

URL parameters

URL parameters for the portal Web server.

VPN instance

This field is not supported in the current software version.

Name of the MPLS L3VPN where the portal Web server resides.

Server detection

Parameters for portal Web server detection:

·     Detection interval in seconds.

·     Maximum number of detection attempts.

·     Actions (log and trap) triggered by the reachability status change of the portal Web server.

Detection URL

Portal Web server detection URL.

Detection type

Type of portal Web server detection:

·     TCP.

·     HTTP.

IPv4 status

Current state of the IPv4 portal Web server:

·     Up—This value indicates one of the following conditions:

¡     Portal Web server detection is disabled.

¡     Portal Web server detection is enabled and the server is reachable.

·     Down—Portal Web server detection is enabled and the server is unreachable.

IPv6 status

Current state of the IPv6 portal Web server:

·     Up—This value indicates one of the following conditions:

¡     Portal Web server detection is disabled.

¡     Portal Web server detection is enabled and the server is reachable.

·     Down—Portal Web server detection is enabled and the server is unreachable.

Captive-bypass

Status of the captive-bypass feature:

·     Disabled—Captive-bypass is disabled.

·     Enabled—Captive-bypass is enabled.

·     Optimize Enabled—Optimized captive-bypass is enabled.

If-match

Match rules configured for URL redirection. This field displays Not configured if no match rules for URL redirection are configured.

 

Related commands

portal enable

portal web-server

server-detect (portal Web server view)

server-detect url

display web-redirect rule

Use display web-redirect rule to display information about Web redirect rules.

Syntax

In standalone mode:

display web-redirect rule { ap ap-name [ radio radio-id ] | interface interface-type interface-number }

In IRF mode:

display web-redirect rule { ap ap-name [ radio radio-id ] | interface interface-type interface-number [ slot slot-number ] }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify this option, the command displays Web redirect rules for all radios of the AP.

interface interface-type interface-number: Specifies an interface by its type and number.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays Web redirect rules on the master device. (In IRF mode.)

Examples

# Display all Web redirect rules on VLAN-interface 100.

<Sysname> display web-redirect rule interface vlan-interface 100

IPv4 web-redirect rules on vlan-interface 100:

Rule 1:

 Type                : Dynamic

 Action              : Permit

 Status              : Active

 Source:

    IP             : 192.168.2.114

    VLAN           : Any

 

Rule 2:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    VLAN           : Any

    Protocol       : TCP

 Destination:

    Port           : 80

 

IPv6 web-redirect rules on vlan-interface 100:

Rule 1:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    VLAN           : Any

    Protocol       : TCP

 Destination:

    Port           : 80

# Display all Web redirect rules on AP ap1.

<Sysname> display web-redirect rule ap ap1

IPv4 web-redirect rules on ap1:

Radio ID: 1

SSID     : portal

Rule 1:

Type                : Dynamic

 Action              : Permit

 Status              : Active

 Source:

    IP             : 192.168.2.114

    VLAN           : Any

 

Rule 2:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    VLAN           : Any

    Protocol       : TCP

 Destination:

    Port           : 80

Table 28 Command output

Field

Description

Rule

Number of the Web redirect rule.

Type

Type of the Web redirect rule:

·     Static—Static Web redirect rule, generated when the Web redirect feature takes effect.

·     Dynamic—Dynamic Web redirect rule, generated when a user visits a redirect webpage.

Action

Action in the Web redirect rule:

·     Permit—Allows packets to pass.

·     Redirect—Redirects the packets.

Status

Status of the Web redirect rule:

·     Active—The Web redirect rule is effective.

·     Inactive—The Web redirect rule is not effective.

Source

Source information in the Web redirect rule.

IP

Source IP address.

Mask

Subnet mask of the source IPv4 address.

Prefix length

Prefix length of the source IPv6 address.

VLAN

Source VLAN. If not specified, this field displays Any.

Protocol

Transport layer protocol in the Web redirect rule:

·     Any—No transport layer protocol is limited.

·     TCP—Transmission Control Protocol.

Destination

Destination information in the Web redirect rule.

Port

Destination transport layer port number. The default port number is 80.

 

exclude-attribute (MAC binding server view)

Use exclude-attribute to exclude an attribute from portal protocol packets.

Use undo exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

exclude-attribute attribute-number

undo exclude-attribute attribute-number

Default

No attributes are excluded from portal protocol packets.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

attribute-number: Specifies an attribute by its number in the range of 1 to 255.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. During MAC-trigger authentication, the device and the server cannot communicate if the device sends the portal authentication server a packet that contains an attribute unsupported by the server.

To address this issue, you can configure this command to exclude the unsupported attributes from portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes.

Table 29 describes all attributes of the portal protocol.

Table 29 Portal attributes

Name

Number

Description

UserName

1

Name of the user to be authenticated.

PassWord

2

User password in plaintext form.

Challenge

3

Random challenge for CHAP authentication.

ChapPassWord

4

CHAP password encrypted by MD5.

TextInfo

5

The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server.

The attribute value can be any string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.

UpLinkFlux

6

Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB.

DownLinkFlux

7

Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.

Port

8

Port information, a string excluding the end character '\0'.

IP-Config

9

This attribute has different meanings in different types of packets.

·     The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP.

·     The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.

BAS-IP

10

IP address of the access device.

Session-ID

11

Identification of a portal user. Generally, the value of this attribute is the MAC address of the portal user.

Delay-Time

12

Delay time for sending a packet. This attributes exists in NTF_LOGOUT (Type=0x08) packets.

User-List

13

List of IP addresses of an IPv4 portal user.

EAP-Message

14

An EAP attribute that needs to be transported transparently. This attribute is applicable to EAP TLS authentication. Multiple EAP-Message attributes can exist in a portal authentication packet.

User-Notify

15

Value of the hw_User_Notify attribute in a RADIUS accounting response. This attribute needs to be transported transparently.

BAS-IPv6

100

IPv6 address of the access device.

UserIPv6-List

101

List of IPv6 addresses of an IPv6 portal user.

 

Examples

# Exclude the BAS-IP attribute (number 10) from portal packets sent to MAC binding server 123.

<Sysname> system-view

[Sysname] portal mac-trigger-server 123

[Sysname-portal-mac-trigger-server-123] exclude-attribute 10

exclude-attribute (portal authentication server view)

Use exclude-attribute to exclude an attribute from portal protocol packets.

Use undo exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

exclude-attribute number { ack-auth | ack-logout | ntf-logout }

undo exclude-attribute number { ack-auth | ack-logout | ntf-logout }

Default

No attributes are excluded from portal protocol packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

number: Specifies an attribute by its number in the range of 1 to 255.

ack-auth: Excludes the attribute from ACK_AUTH packets.

ack-logout: Excludes the attribute from ACK_LOGOUT packets.

ntf-logout: Excludes the attribute from NTF_LOGOUT packets.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.

To address this issue, you can configure this command to exclude the unsupported attributes from specific portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes. For an excluded attribute, you can specify multiple types of portal protocol packets (ack-auth, ntf-logout, and ack-logout).

Table 30 describes all attributes of the portal protocol.

Table 30 Portal attributes

Name

Number

Description

UserName

1

Name of the user to be authenticated.

PassWord

2

User password in plaintext form.

Challenge

3

Random challenge for CHAP authentication.

ChapPassWord

4

CHAP password encrypted by MD5.

TextInfo

5

The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server.

The attribute value can be any string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.

UpLinkFlux

6

Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB.

DownLinkFlux

7

Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.

Port

8

Port information, a string excluding the end character '\0'.

IP-Config

9

This attribute has different meanings in different types of packets.

·     The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP.

·     The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.

BAS-IP

10

IP address of the access device.

Session-ID

11

Identification of a portal user. Generally, the value of this attribute is the MAC address of the portal user.

Delay-Time

12

Delay time for sending a packet. This attributes exists in NTF_LOGOUT (Type=0x08) packets.

User-List

13

List of IP addresses of an IPv4 portal user.

EAP-Message

14

An EAP attribute that needs to be transported transparently. This attribute is applicable to EAP TLS authentication. Multiple EAP-Message attributes can exist in a portal authentication packet.

User-Notify

15

Value of the hw_User_Notify attribute in a RADIUS accounting response. This attribute needs to be transported transparently.

BAS-IPv6

100

IPv6 address of the access device.

UserIPv6-List

101

List of IPv6 addresses of an IPv6 portal user.

 

Examples

# Exclude the UpLinkFlux attribute (number 6) from portal ACK_AUTH packets.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] exclude-attribute 6 ack-auth

Related commands

display portal server

free-traffic threshold

Use free-traffic threshold to set the free-traffic threshold for portal users.

Use undo free-traffic threshold to restore the default.

Syntax

free-traffic threshold value

undo free-traffic threshold

Default

The free-traffic threshold is 0 bytes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the free-traffic threshold in the range of 0 to 10240000 bytes. If the free-traffic threshold is set to 0, the device immediately triggers MAC-based quick portal authentication for a user once the user's traffic is detected.

Usage guidelines

After MAC-based quick portal authentication is configured, the device monitors a user's network traffic (sent and received) in real time before the MAC-trigger entry for the user ages out. A user can access the network without authentication if the user's network traffic is below the free-traffic threshold. When the user's network traffic reaches the threshold, the device triggers MAC-based quick portal authentication for the user.

If the user passes portal authentication, the device deletes the MAC-trigger entry and clears the user traffic statistics. If the user fails authentication, the device does not trigger MAC-based quick authentication for the user before the MAC-trigger entry ages out. When the MAC-trigger entry ages out, the device clears the user traffic statistics.

When traffic is detected from the user again, the device re-creates a MAC-trigger entry for the user and repeats the previous procedure.

In wireless networks where APs are configured to forward client data traffic, APs report traffic statistics to the AC at a regular interval. The AC can determine whether a user's traffic exceed the free-traffic threshold only after receiving the traffic statistics report from the associated AP. To set the interval for APs to report traffic statistics to the AC, use the portal client-traffic-report interval command.

Examples

# Set the free-traffic threshold for portal users to 10240 bytes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] free-traffic threshold 10240

Related commands

display portal mac-trigger-server

if-match

Use if-match to configure a match rule for URL redirection.

Use undo if-match to delete a URL redirection match rule.

Syntax

if-match { original-url url-string redirect-url url-string [ url-param-encryption { aes | des } key { cipher | simple } string ] | user-agent string redirect-url url-string }

undo if-match { original-url url-string | user-agent user-agent }

 

Default

No URL redirection match rules exist.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

original-url url-string: Specifies a URL string to match the URL in HTTP or HTTPS requests of a portal user. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

url-param-encryption: Specifies an encryption algorithm to encrypt the parameters carried in the redirection URL. If you do not specify an encryption algorithm, the parameters carried in the redirection URL are not encrypted.

aes: Specifies the AES algorithm.

des: Specifies the DES algorithm.

key: Specifies a key for encryption.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:

·     If des cipher is specified, the string length is 41 characters.

·     If des simple is specified, the string length is 8 characters.

·     If aes cipher is specified, the string length is 1 to 73 characters.

·     If aes simple is specified, the string length is 1 to 31 characters.

user-agent user-agent: Specifies a user agent string to match the User-Agent string in HTTP/HTTPS requests. The user agent string is a case-sensitive string of 1 to 255 characters. The User-Agent string in HTTP or HTTPS requests includes information about hardware manufacturer, operating system, browser, and search engine.

Usage guidelines

A URL redirection match rule matches HTTP or HTTPS requests by user-requested URL or User-Agent information, and redirects the matching HTTP or HTTPS requests to the specified redirection URL.

For a user to successfully access a redirection URL, configure a portal-free rule to allow HTTP or HTTPS requests destined for the redirection URL to pass. For information about configuring portal-free rules, see the portal free-rule command.

For a portal Web server, you can configure the url command and the if-match command for URL redirection. The url command redirects all HTTP or HTTPS requests from unauthenticated users to the portal Web server for authentication. The if-match command allows for flexible URL redirection by redirecting specific HTTP or HTTPS requests to specific redirection URLs. If both commands are executed, the if-match command takes priority to perform URL redirection.

If both portal safe-redirect and URL redirection match rules are configured, the device preferentially uses URL redirection match rules to perform URL redirection.

If you configure encryption for parameters in the redirection URL, you must add an encryption prompt field after the redirection URL address. For example, to redirect HTTP requests to URL 10.1.1.1 with encrypted URL parameters, specify the redirection URL as http://10.1.1.1?yyyy=. The value of yyyy depends on the portal Web server configuration. For more information, see the portal Web server configuration guide.

You can configure a redirection URL in one of the following ways:

·     For exact match—Specify a complete URL. For example, if you configure the URL as abc.com.cn, only Web requests that contain URL abc.com.cn match the rule.

·     For fuzzy match—Specify a URL by placing the asterisk (*) wildcard character at the beginning or end of the URL string. For example, if you configure the URL as *abc.com.cn, abc*, or *abc*, Web requests that carry the URL ending with abc.com.cn, starting with abc, or including abc match the rule.

¡     The asterisk (*) wildcard character represents any characters. The device treats multiple consecutive asterisks as one.

¡     The configured URL cannot contain only asterisks (*).

You cannot configure two URL redirection match rules with the same user-requested URL.

Examples

# Configure a match rule to redirect HTTP requests destined for the URL http://www.abc.com.cn to the URL http://192.168.0.1.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn redirect-url http://192.168.0.1

# Configure a match rule to redirect HTTP requests that carry the user agent string 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to the URL http://192.168.0.1.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1

Related commands

display portal web-server

portal free-rule

url

url-parameter

if-match temp-pass

Use if-match temp-pass to configure a match rule for temporary pass.

Use undo if-match temp-pass to restore the default.

Syntax

if-match { original-url url-string | user-agent user-agent } * temp-pass [ redirect-url url-string | original ]

undo if-match { original-url url-string | user-agent user-agent } * temp-pass

Default

No match rules for temporary pass are configured.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

original-url url-string: Specifies a URL string to match the URL in HTTP/HTTPS requests of portal users. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

user-agent user-agent: Specifies a user agent string to match the User-Agent string in HTTP/HTTPS requests. The user agent string is a case-sensitive string of 1 to 255 characters. The User-Agent string in HTTP or HTTPS requests includes information about hardware manufacturer, operating system, browser, and search engine.

redirect-url url-string: Redirects the matching Web requests to the specified URL. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

original: Redirects the matching Web requests to the originally requested URLs.

Usage guidelines

A match rule for temporary pass matches Web requests by URL or User-Agent information. Only the matching Web requests are temporarily permitted to pass.

A permitted request can be redirected to the specified redirection URL or to the originally requested URL, depending on the redirection action in the match rule. If you do not configure a redirection action (by using the redirect-url url-string option or the original keyword), the device permits the matching requests to pass without redirection.

For the match rules to take effect, make sure the portal temporary pass feature is enabled.

If you configure the same match criteria but different redirection actions in two match rules, the new configuration overwrites the existing one.

If both portal safe-redirect and portal temporary pass match rules are configured, portal temporary pass match rules take precedence.

Examples

# Configure a temporary pass rule to temporarily allow user packets that access URL http://www.abc.com.cn to pass.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn temp-pass

# Configure a temporary pass rule to temporarily allow user packets that access the URL http://www.abc.com.cn/ to pass and then redirect the packets to the originally requested URL.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn temp-pass original

# Configure a temporary pass rule to allow user packets that contain user agent information 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to pass and then redirect the packets to URL http://192.168.0.1.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 temp-pass redirect-url http://192.168.0.1

# Configure a temporary pass rule. This rule allows user packets that access the URL  http://www.abc.com.cn/ and contain user agent information 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to pass and then redirects the packets to URL http://192.168.0.1.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match original-url http://www.123.com.cn user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 temp-pass redirect-url http://192.168.0.1

Related commands

display portal web-server

portal free-rule

portal temp-pass enable

url

url-parameter

ip (MAC binding server view)

Use ip to specify the IP address of a MAC binding server.

Use undo ip to restore the default.

Syntax

ip ipv4-address [ key { cipher | simple } string ]

undo ip

Default

The IP address of the MAC binding server is not specified.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IP address of a MAC binding server.

key: Specifies a shared key to be used to authenticate packets between the device and the MAC binding server. Portal packets exchanged between the device and MAC binding server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to verify the correctness of the received portal packets. If you do not specify a shared key, the device and MAC binding server do not authenticate the packets between them.

cipher: Specifies a shared key in encrypted form.

simple: Specifies a shared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the shared key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 33 to 117 characters.

Usage guidelines

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Specify the IP address of the MAC binding server as 192.168.0.111 and the plaintext key as portal.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal

Related commands

display portal mac-trigger-server

ip (portal authentication server view)

Use ip to specify the IPv4 address of a portal authentication server.

Use undo ip to restore the default.

Syntax

ip ipv4-address [ key { cipher | simple } string ]

undo ip

Default

The IPv4 address of the portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the portal authentication server.

key: Specifies a shared key for communication with the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 33 to 117 characters.

Usage guidelines

A portal authentication server has only one IPv4 address. Therefore, in portal authentication server view, only one IPv4 address exists. If you execute this command multiple times, the most recent configuration takes effect.

Do not configure the same IPv4 address for different portal authentication servers.

Examples

# Specify 192.168.0.111 as the  IPv4 address of portal authentication server pts and plaintext key portal as the shared key for communication with the portal authentication server.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ip 192.168.0.111 key simple portal

Related commands

display portal server

portal server

ip (portal roaming center view)

Use ip to specify the IP address for communication with the WLAN roaming center.

Use undo ip to restore the default.

Syntax

ip ip-address

undo ip

The following compatibility matrix shows the support of hardware platforms for this command:

 

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

No

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

No

WX3000H series

WX3010H

WX3010H-X

WX3010H-L

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

No

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

Yes:

·     WX3510H

·     WX3520H

·     WX3540H

·     WX3520H-F

No: WX3508H

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

Yes

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

Yes:

·     LSQM1WCMX40

·     LSUM1WCMX40RT

No:

·     LSUM1WCME0

·     EWPXM1WCME0

·     LSQM1WCMX20

·     LSUM1WCMX20RT

·     EWPXM2WCMD0F

·     EWPXM1MAC0F

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

EWP-WX1840H-GL

No

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

Yes

WX5800H series

WX5860H

EWP-WX5860H-GL

Yes

 

Default

No IP address for communication with the WLAN roaming center is specified.

Views

Portal roaming center view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address for communication with the WLAN roaming center.

Usage guidelines

The specified IP address is used by the portal roaming center to exchange packets with the WLAN roaming center. You can specify any IPv4 address of the WLAN roaming center that can be used for communication with the portal roaming center.

You can specify only one IP address for communication with the WLAN roaming center. If you configure this command multiple times, the most recent configuration takes effect. You cannot specify both an IPv4 address and an IPv6 address for communication with the WLAN roaming center.

As a best practice, do not change the IP address when online portal users exist on the device. A violation might cause data inconsistency between the portal roaming center and the WLAN roaming center and further roaming failure. In this case, a roaming portal user must pass authentication on the new device to come online.

Examples

# Specify 192.168.0.111 as the IP address for communication with the WLAN roaming center.

<Sysname> system-view

[Sysname] portal roaming-center

[Sysname-portal-roaming-center] ip 192.168.0.111

ipv6 (portal authentication server view)

Use ipv6 to specify the IPv6 address of a portal authentication server.

Use undo ipv6 to restore the default.

Syntax

ipv6 ipv6-address [ key { cipher | simple } string ]

undo ipv6

Default

The IPv6 address of the portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of the portal authentication server.

key: Specifies a shared key for communication with the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 33 to 117 characters.

Usage guidelines

A portal authentication server has only one IPv6 address. Therefore in portal authentication server view, only one IPv6 address exists. If you execute this command multiple times, the most recent configuration takes effect.

Do not configure the same IPv6 address for different portal authentication servers.

Examples

# Specify 2000::1 as the  IPv6 address of portal authentication server pts and plaintext key portal as the shared key for communication with the portal authentication server.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ipv6 2000::1 key simple portal

Related commands

display portal server

portal server

ipv6 (portal roaming center view)

Use ipv6 to specify the IPv6 address for communication with the WLAN roaming center.

Use undo ipv6 to restore the default.

Syntax

ipv6 ipv6-address

undo ipv6

The following compatibility matrix shows the support of hardware platforms for this command:

 

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

No

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

No

WX3000H series

WX3010H

WX3010H-X

WX3010H-L

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

No

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

Yes:

·     WX3510H

·     WX3520H

·     WX3540H

·     WX3520H-F

No: WX3508H

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

Yes

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

Yes:

·     LSQM1WCMX40

·     LSUM1WCMX40RT

No:

·     LSUM1WCME0

·     EWPXM1WCME0

·     LSQM1WCMX20

·     LSUM1WCMX20RT

·     EWPXM2WCMD0F

·     EWPXM1MAC0F

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

EWP-WX1840H-GL

No

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

Yes

WX5800H series

WX5860H

EWP-WX5860H-GL

Yes

 

Default

No IPv6 address for communication with the WLAN roaming center is specified.

Views

Portal roaming center view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address for communication with the WLAN roaming center.

Usage guidelines

The specified IPv6 address is used by the portal roaming center to exchange packets with the WLAN roaming center. You can specify any IPv6 address of the WLAN roaming center that can be used for communication with the portal roaming center.

You can specify only one IPv6 address for communication with the WLAN roaming center. If you configure this command multiple times, the most recent configuration takes effect. You cannot specify both an IPv4 address and an IPv6 address for communication with the WLAN roaming center.

As a best practice, do not change the IPv6 address when online portal users exist on the device. A violation might cause data inconsistency between the portal roaming center and the WLAN roaming center and further roaming failure. In this case, a roaming user must pass authentication on the new device to come online.

Examples

# Specify 10::2 as the IPv6 address for communication with the WLAN roaming center.

<Sysname> system-view

[Sysname] portal roaming-center

[Sysname-portal-roaming-center] ipv6 10::2

local-binding aging-time

Use local-binding aging-time to set the aging time for local MAC-account binding entries.

Use undo local-binding aging-time to restore the default.

Syntax

local-binding aging-time minutes

undo local-binding aging-time

Default

The aging time for local MAC-account binding entries is 720 minutes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

minutes: Specifies the aging time for local MAC-account binding entries. The value range for this argument is 1 to 129600 minutes.

Usage guidelines

The local MAC binding server uses a local MAC-account binding entry to record the MAC address and portal account information (username and password) of a portal user.

The local MAC-account binding entry of a portal user is deleted when the entry ages out. The device creates a local MAC-account binding entry for the user again when the user triggers and passes a new portal authentication.

If you disable local MAC-trigger authentication, the device does not delete existing local MAC-account binding entries. These entries are automatically deleted when they age out.

Examples

# Set the aging time for local MAC-account binding entries to 240 minutes in the view of MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] local-binding aging-time 240

Related commands

display portal mac-trigger-server

local-binding enable

local-binding enable

Use local-binding enable to enable local MAC-trigger authentication.

Use undo local-binding enable to disable local MAC-trigger authentication.

Syntax

local-binding enable

undo local-binding enable

Default

Local MAC-trigger authentication is disabled.

Views

MAC binding server view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to act as a local MAC binding server to provide MAC-trigger authentication for local portal authentication users.

After a user passes portal authentication for the first time, the access device (local MAC binding server) generates a local MAC-account binding entry for the user. The local MAC binding-account entry records the MAC address and portal account information (username and password) of the user. Then, the user can automatically connect to the network without manual authentication for subsequent network access attempts.

Examples

# Enable local MAC-trigger authentication in the view of MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] local-binding enable

Related commands

display portal mac-trigger-server

local-binding aging-time

logon-page bind

Use logon-page bind to bind an endpoint name, SSID, or endpoint type to an authentication page file.

Use undo logon-page bind to unbind the endpoint name, SSID, or endpoint type from the authentication page file.

Syntax

logon-page bind { device-type { computer | pad | phone } | device-name device-name | ssid ssid-name } * file file-name

undo logon-page bind { all | device-type { computer | pad | phone } | device-name device-name | ssid ssid-name } *

Default

No endpoint name, SSID, or endpoint type is bound to an authentication page file.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

all: Specifies all endpoint names, SSIDs, and endpoint types.

device-type type-name: Specifies an endpoint type.

computer: Specifies the endpoint type as computer.

pad: Specifies the endpoint type as tablet.

phone: Specifies the endpoint type as mobile phone.

device-name device-name: Specify an endpoint by its name, a case-sensitive string of 1 to 127 characters. The specified endpoint name must have been predefined on the device. Otherwise, the bound authentication page file does not take effect.

ssid ssidname: Specifies an SSID by its name, a case-insensitive string of 1 to 32 characters. An SSID string can contain letters, digits, and spaces, but the start and end characters cannot be spaces. An SSID string cannot be f, fi, fil, or file.

file file-name: Specifies an authentication page file by the file name (without the file storage directory). A file name is a string of 1 to 91 characters, and can contain letters, digits, and underscores (_). You must edit the authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

Usage guidelines

This command implements customized authentication page pushing for portal users. After you configure this command, the device pushes authentication pages to users according to the user's, endpoint name, SSID, and endpoint type.

When a Web user triggers local portal authentication, the device searches for a binding that matches the user's endpoint name, SSID, and endpoint type.

·     If the binding exists, the device pushes the bound authentication pages to the user.

·     If multiple matching binding entries are found, the device selects an entry in the following order:

a.     The entry that specifies the SSID, endpoint name, and endpoint type.

b.     The entry that specifies the SSID and endpoint name.

c.     The entry that specifies the SSID and endpoint type.

d.     The entry that specifies only the SSID.

e.     The entry that specifies the endpoint name and endpoint type.

f.     The entry that specifies only the endpoint name.

g.     The entry that specifies only the endpoint type.

·     If the binding does not exist, the device pushes the default authentication pages to the user.

When you configure this command, follow these restrictions and guidelines:

·     If the name or content of the file in a binding entry is changed, you must reconfigure the binding.

·     To reconfigure or modify a binding, you can simply re-execute this command without canceling the existing binding.

·     If you execute this command multiple times to bind an endpoint name, SSID, or endpoint type to different authentication page files, the most recent configuration takes effect.

·     You can configure multiple binding entries on the device.

Examples

# Create an HTTP-based local portal Web service.

<Sysname> system-view

[Sysname] portal local-web-server http

# Bind SSID SSID1 to authentication page file file1.zip.

[Sysname-portal-local-websvr-http] logon-page bind ssid SSID1 file file1.zip

# Bind endpoint type phone to authentication page file file2.zip.

[Sysname-portal-local-websvr-http] logon-page bind device-type phone file file2.zip

Related commands

default-logon-page

portal local-web-server

logout-notify

Use logout-notify to set the maximum number of times and the interval for retransmitting a logout notification packet.

Use undo logout-notify to restore the default.

Syntax

logout-notify retry retries interval interval

undo logout-notify

Default

The device does not retransmit a logout notification packet.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

retry retries: Specifies the maximum number of retries, in the range of 1 to 5.

interval interval: Specifies the retry interval, in the range of 1 to 10 seconds.

Usage guidelines

A logout notification packet is a UDP packet that the device sends to the portal authentication server for forcibly logging out a portal user. To increase the delivery reliability, you can set the maximum number of times and the interval for retransmitting a logout notification packet.

After the device sends a logout notification packet for logging out a portal user, it waits for a response from the portal authentication server. If the device receives a response within the specified period of time (maximum number of retries × retry interval), it logs out and deletes the user immediately. If the device does not receive a response within the period of time, the device logs out and deletes the user when the period of time elapses.

Examples

# Set the maximum number of times for retransmitting a logout notification packet to 3 and the retry interval to 5 seconds.

<Sysname> system-view

[Sysname] portal server pt

[Sysname-portal-server-pt] logout-notify retry 3 interval 5

Related commands

display portal server

mail-domain-name

Use mail-domain-name to specify an email domain name for email authentication.

Use undo mail-address to remove an email domain name for email authentication.

Syntax

mail-domain-name string

undo mail-domain-name [ string ]

Default

No email domain names are specified for email authentication.

Views

Email authentication server view

Predefined user roles

network-admin

Parameters

string: Specifies an email domain name for email authentication, a case-sensitive string of 1 to 255 characters, in the format of @XXX.XXX.

Usage guidelines

If you do not specify an email domain name in the undo form of this command, this command removes all email domain names for email authentication.

After you configure this command, the device performs email authentication only on portal users that use the specified email domain names.

You can specify a maximum of 16 email domain names for email authentication.

Examples

# Specify @qq.com and @sina.com email domain names for email authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server mail

[Sysname-portal-extend-auth-server-mail] mail-domain-name @qq.com

[Sysname-portal-extend-auth-server-mail] mail-domain-name @Sina.com

Related commands

display portal extend-auth-server

mail-protocol

Use mail-protocol to specify protocols for email authentication.

Use undo mail-protocol to restore the default.

Syntax

mail-protocol { imap | pop3 } *

undo mail-protocol

Default

No protocols are specified for email authentication.

Views

Email authentication server view

Predefined user roles

network-admin

Parameters

imap: Specifies the Internet Message Access Protocol (IMAP).

pop3: Specifies the Post Office Protocol 3 (POP3).

Usage guidelines

This command specifies email protocols that the device uses to interact with the email server to perform authentication and authorization on portal users who uses email authentication.

Examples

# Specify POP3 as the protocol for email authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server mail

[Sysname-portal-extend-auth-server-mail] mail-protocol pop3

Related commands

display portal extend-auth-server

nas-port-type

Use nas-port-type to specify the NAS-Port-Type value carried in RADIUS requests sent to the RADIUS server.

Use undo nas-port-type to restore the default.

Syntax

nas-port-type value

undo nas-port-type

Default

The NAS-Port-Type value carried in RADIUS requests is 19.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the NAS-Port-Type value in the range of 1 to 255.

Usage guidelines

Some MAC binding servers identify MAC-based quick portal authentication by a specific NAS-Port-Type value in received RADIUS requests. To communicate with such a MAC binding server, you must configure the device to use the NAS-Port-Type value required by the MAC binding server.

Examples

# Set the NAS-Port-Type value in RADIUS requests sent to the MAC binding server mts to 30.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] nas-port-type 30

Related commands

display portal mac-trigger-server

port (MAC binding server view)

Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The MAC binding server listens for MAC binding query packets on UDP port 50100.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

port-number: Specifies the listening UDP port number in the range of 1 to 65534.

Usage guidelines

The specified port number must be the same as the query listening port number configured on the MAC binding server.

Examples

# Set the UDP port number to 1000 for the MAC binding server pts to listen for MAC binding query packets.

<sysname> system-view

[sysname] portal mac-trigger-server mts

[sysname-portal-mac-trigger-server-mts] port 1000

Related commands

display portal mac-trigger-server

port (portal authentication server view)

Use port to set the destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The device uses 50100 as the destination UDP port number for unsolicited portal packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

port-number: Specifies a destination UDP port number the device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534.

Usage guidelines

The specified port must be the port that listens to portal packets on the portal authentication server.

Examples

# Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to the portal authentication server pts.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] port 50000

Related commands

portal server

port (portal roaming center view)

Use port to specify the UDP port number for communication with the WLAN roaming center.

Use undo port to restore the default.

Syntax

port port-number

undo port

The following compatibility matrix shows the support of hardware platforms for this command:

 

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

No

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

No

WX3000H series

WX3010H

WX3010H-X

WX3010H-L

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

No

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

Yes:

·     WX3510H

·     WX3520H

·     WX3540H

·     WX3520H-F

No: WX3508H

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

Yes

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

Yes

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

Yes:

·     LSQM1WCMX40

·     LSUM1WCMX40RT

No:

·     LSUM1WCME0

·     EWPXM1WCME0

·     LSQM1WCMX20

·     LSUM1WCMX20RT

·     EWPXM2WCMD0F

·     EWPXM1MAC0F

Hardware series

Model

Product code

Command compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

EWP-WX1840H-GL

No

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

Yes

WX5800H series

WX5860H

EWP-WX5860H-GL

Yes

 

Default

The UDP port 60035 is used by the portal roaming center to communicate with the WLAN roaming center.

Views

Portal roaming center view

Predefined user roles

network-admin

Parameters

port-number: Specifies the UDP port number for communication with the WLAN roaming center. The value range is 1 to 65534.

Usage guidelines

The specified UDP port is used by the portal roaming center to exchange packets with the WLAN roaming center.

The specified UDP port number must be the same as that specified on the WLAN roaming center.

As a best practice, do not change the UDP port number when online portal users exist on the device. A violation might cause data inconsistency between the portal roaming center and the WLAN roaming center and further roaming failure. In this case, a roaming user must pass authentication on the new device to come online.

As a best practice to avoid data remanence, disable the WLAN roaming center before you change the UDP port number. When you finish changing the UDP port number, re-enable the WLAN roaming center.

Examples

# Specify port 50102 as the UDP port for communication with the WLAN roaming center.

<Sysname> system-view

[Sysname] portal roaming-center

[Sysname-portal-roaming-center] port 50102

Related commands

roaming-center enable

portal apply mac-trigger-server

Use portal apply mac-trigger-server to specify a MAC binding server.

Use undo portal apply mac-trigger-server to restore the default.

Syntax

portal apply mac-trigger-server server-name

undo portal apply mac-trigger-server

Default

No MAC binding server is specified.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

Only direct IPv4 portal authentication supports MAC-based quick portal authentication.

For MAC-based quick portal authentication to take effect, perform the following tasks:

·     Configure normal portal authentication.

·     Configure a MAC binding server.

·     Specify the MAC binding server on a portal-enabled VLAN interface or service template.

Examples

# Specify the MAC binding server mts on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal apply mac-trigger-server mts

Related commands

portal mac-trigger-server

portal apply web-server

Use portal apply web-server to specify a portal Web server. The device redirects the HTTP or HTTPS requests sent by unauthenticated portal users to the portal Web server.

Use undo portal apply web-server to delete a portal Web server.

Syntax

portal [ ipv6 ] apply web-server server-name [ secondary ]

undo portal [ ipv6 ] apply web-server [ server-name ]

Default

No portal Web servers are specified.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 portal Web server. If the server is an IPv4 portal Web server, do not specify this keyword.

secondary: Specifies the backup portal Web server. If you do not specify this keyword, the specified server is the primary portal Web server.

server-name: Specifies a portal Web server to be specified on the interface by its name, a case-sensitive string of 1 to 32 characters. The name must already exist. If you do not specify a server name in the undo form of this command, all portal Web servers on the interface or service template are removed.

Usage guidelines

IPv4 and IPv6 portal authentication can both be enabled on an interface or on a service template.

You can specify both a primary portal Web server and a backup portal Web server after enabling each type (IPv4 or IPv6) of portal authentication.

The device first uses the primary portal Web server for portal authentication. When the primary portal Web server is unreachable but the backup portal Web server is reachable, the device uses the backup portal Web server. When the primary portal Web server becomes reachable, the device switches back to the primary portal Web server for portal authentication.

To automatically switch between the primary portal Web server and the backup portal Web server, configure portal Web server detection on both servers.

Examples

# Specify portal Web server wbs as the backup portal Web server on service template service1 for portal authentication.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal apply web-server wbs secondary

Related commands

display portal

portal fail-permit server

portal web-server

server-detect (portal Web server view)

portal authentication-location switchto-central-ac

Use portal authentication-location switchto-central-ac to switch the portal authenticator to the central AC.

Syntax

portal authentication-location switchto-central-ac

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this command on an AC hierarchy where the portal authenticator is switched from a local AC to the central AC and the forwarding mode is changed from centralized forwarding to local forwarding. This command allows for the portal authenticator switching without device reboot.

Execute this command on a local AC. If you execute this command on devices of other roles, portal authentication will fail.

Before you execute this command, disable portal authentication on the interface or service template first.

Examples

# Switch the portal authenticator to the central AC.

<Sysname> system-view

[Sysname] portal authentication-location switchto-central-ac

Related commands

display portal authentication-location

portal auth-error-record enable

Use portal auth-error-record enable to enable portal authentication error recording.

Use undo portal auth-error-record enable to disable portal authentication error recording.

Syntax

portal auth-error-record enable

undo portal auth-error-record enable

Default

Portal authentication error recording is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to save all portal authentication error records and to periodically send the records to the Oasis cloud server or other server.

Examples

# Enable portal authentication error recording.

<Sysname> system-view

[Sysname] portal auth-error-record enable

Related commands

display portal auth-error-record

portal auth-error-record export

Use portal auth-error-record export to export portal authentication error records to a path.

Syntax

portal auth-error-record export url url-string [ start-time start-date start-time end-time end-date end-time ]

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the URL to which portal authentication error records are exported. The URL is a case-insensitive string of 1 to 255 characters.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

Usage guidelines

The device supports FTP, TFTP, and HTTP file transfer methods. Table 31 describes the valid URL format for each method.

Table 31 URL formats

Protocol

URL format

Remarks

FTP

ftp://username[:password]@server-address[:port-number]/file-path

Example: ftp://a:1@1.1.1.1/authfail/

The username and password must be the same as those on the server.

If the server authenticates only the username, no password is required.

TFTP

tftp://server-address[:port-number]/file-path

Example: tftp://1.1.1.1/ autherror/

N/A

HTTP

http://username[:password]@server-address[:port-number]/file-path

Example: http://1.1.1.1/autherror/

The username and password must be the same as those on the server.

If the server authenticates only the username, no password is required.

 

If the server address is an IPv6 address, bracket the IPv6 address to distinguish the IPv6 address from the port number. For example, if the server address is 2001::1 and the port number is 21, the URL is ftp://test:test@[2001::1]/test/.

Examples

# Export all portal authentication error records to path tftp://1.1.1.1/record/autherror/.

<Sysname> system-view

[Sysname] portal auth-error-record export url tftp://1.1.1.1/record/autherror/

# Export portal authentication error records in the time range from 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/autherror/.

<Sysname> system-view

[Sysname] portal auth-error-record export url tftp://1.1.1.1/record/autherror/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00

Related commands

display portal auth-error-record

portal auth-error-record enable

reset portal auth-error-record

portal auth-error-record max

Use portal auth-error-record max to set the maximum number of portal authentication error records.

Use undo portal auth-error-record max to restore the default.

Syntax

portal auth-error-record max number

undo portal auth-error-record max

Default

Hardware series

Model

Product code

Default

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

The device supports a maximum of 6000 portal authentication error records.

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

The device supports a maximum of 6000 portal authentication error records.

WX3000H series

WX3010H

WX3010H-X

WX3010H-L

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

·     WX3010H, WX3010H-X, WX3024H, WX3024H-F:
The device supports a maximum of 24000 portal authentication error records.

·     WX3010H-L, WX3024H-L:
The device supports a maximum of 6000 portal authentication error records.

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

·     WX3508H, WX3510H:
The device supports a maximum of 24000 portal authentication error records.

·     WX3520H, WX3520H-F, WX3540H:
The device supports a maximum of 60000 portal authentication error records.

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

The device supports a maximum of 24000 portal authentication error records.

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

The device supports a maximum of 60000 portal authentication error records.

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

The device supports a maximum of 60000 portal authentication error records.

Hardware series

Model

Product code

Default

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

The device supports a maximum of 6000 portal authentication error records.

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

The device supports a maximum of 60000 portal authentication error records.

WX5800H series

WX5860H

EWP-WX3820H-GL

EWP-WX3840H-GL

The device supports a maximum of 60000 portal authentication error records.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of portal authentication error records.

The following compatibility matrixes show the value ranges for this argument:

 

Hardware series

Model

Product code

Value range

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

1 to 6000

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

1 to 6000

WX3000H series

WX3010H

WX3010H-L

WX3010H-X

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

WX3010H: 1 to 24000

WX3010H-L: 1 to 6000

WX3010H-X: 1 to 24000

WX3024H: 1 to 24000

WX3024H-L: 1 to 6000

WX3024H-F: 1 to 24000

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

WX3508H: 1 to 24000

WX3510H: 1 to 24000

WX3520H: 1 to 60000

WX3520H-F: 1 to 60000

WX3540H: 1 to 60000

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

1 to 24000

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

1 to 60000

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

1 to 60000

Hardware series

Model

Product code

Value range

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

EWP-WX1840H-GL

1 to 6000

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

1 to 60000

WX5800H series

WX5860H

EWP-WX5860H-GL

1 to 60000

Usage guidelines

When the maximum number of portal authentication error records is reached, a new record overwrites the oldest one.

Examples

# Set the maximum number of portal authentication error records to 50.

<Sysname> system-view

[Sysname] portal auth-error-record max 50

Related commands

display portal auth-error-record

portal auth-fail-record enable

Use portal auth-fail-record enable to enable portal authentication failure recording.

Use undo portal auth-fail-record enable to disable portal authentication failure recording.

Syntax

portal auth-fail-record enable

undo portal auth-fail-record enable

Default

Portal authentication failure recording is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to save portal authentication failure records and to periodically send the records to the Oasis cloud server or other server.

Examples

# Enable portal authentication failure recording.

<Sysname> system-view

[Sysname] portal auth-fail-record enable

Related commands

display portal auth-fail-record

portal auth-fail-record export

Use portal auth-fail-record export to export portal authentication failure records to a path.

Syntax

portal auth-fail-record export url url-string [ start-time start-date start-time end-time end-date end-time ]

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the URL to which portal authentication failure records are exported. The URL is a case-insensitive string of 1 to 255 characters.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

Usage guidelines

The device supports FTP, TFTP, and HTTP file transfer methods. Table 32 describes the valid URL format for each method.

Table 32 URL formats

Protocol

URL format

Remarks

FTP

ftp://username[:password]@server-address[:port-number]/file-path

Example: ftp://a:1@1.1.1.1/authfail/

The username and password must be the same as those on the server.

If the server authenticates only the username, no password is required.

TFTP

tftp://server-address[:port-number]/file-path

Example: tftp://1.1.1.1/ autherror/

N/A

HTTP

http://username[:password]@server-address[:port-number]/file-path

Example: http://1.1.1.1/autherror/

The username and password must be the same as those on the server.

If the server authenticates only the username, no password is required.

 

If the server address is an IPv6 address, bracket the IPv6 address to distinguish the IPv6 address from the port number. For example, if the server address is 2001::1 and the port number is 21, the URL is ftp://test:test@[2001::1]/test/.

Examples

# Export all portal authentication failure records to path tftp://1.1.1.1/record/authfail/.

<Sysname> system-view

[Sysname] portal auth-fail-record export url tftp://1.1.1.1/record/authfail/

# Export portal authentication failure records in the time range from 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/authfail/.

<Sysname> system-view

[Sysname] portal auth-fail-record export url tftp://1.1.1.1/record/authfail/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00

Related commands

display portal auth-fail-record

portal auth-fail-record enable

reset portal auth-fail-record

portal auth-fail-record max

Use portal auth-fail-record max to set the maximum number of portal authentication failure records.

Use undo portal auth-fail-record max to restore the default.

Syntax

portal auth-fail-record max number

undo portal auth-fail-record max

Default

Hardware series

Model

Product code

Default

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

The device supports a maximum of 6000 portal authentication failure records.

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

The device supports a maximum of 6000 portal authentication failure records.

WX3000H series

WX3010H

WX3010H-X

WX3010H-L

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

·     WX3010H, WX3010H-X, WX3024H, WX3024H-F:
The device supports a maximum of 24000 portal authentication failure records.

·     WX3010H-L, WX3024H-L:
The device supports a maximum of 6000 portal authentication failure records.

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

·     WX3508H, WX3510H:
The device supports a maximum of 24000 portal authentication failure records.

·     WX3520H, WX3520H-F, WX3540H:
The device supports a maximum of 60000 portal authentication failure records.

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

The device supports a maximum of 24000 portal authentication failure records.

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

The device supports a maximum of 60000 portal authentication failure records.

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

The device supports a maximum of 60000 portal authentication failure records.

Hardware series

Model

Product code

Default

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

The device supports a maximum of 6000 portal authentication failure records.

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

The device supports a maximum of 60000 portal authentication failure records.

WX5800H series

WX5860H

EWP-WX3820H-GL

EWP-WX3840H-GL

The device supports a maximum of 60000 portal authentication failure records.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of portal authentication failure records.

The following compatibility matrixes show the value ranges for this argument:

 

Hardware series

Model

Product code

Value range

WX1800H series

WX1804H

EWP-WX1804H-PWR-CN

1 to 6000

WX2500H series

WX2508H-PWR-LTE

WX2510H

WX2510H-F

WX2540H

WX2540H-F

WX2560H

EWP-WX2508H-PWR-LTE

EWP-WX2510H-PWR

EWP-WX2510H-F-PWR

EWP-WX2540H

EWP-WX2540H-F

EWP-WX2560H

1 to 6000

WX3000H series

WX3010H

WX3010H-L

WX3010H-X

WX3024H

WX3024H-L

WX3024H-F

EWP-WX3010H

EWP-WX3010H-X-PWR

EWP-WX3010H-L-PWR

EWP-WX3024H

EWP-WX3024H-L-PWR

EWP-WX3024H-F

WX3010H: 1 to 24000

WX3010H-L: 1 to 6000

WX3010H-X: 1 to 24000

WX3024H: 1 to 24000

WX3024H-L: 1 to 6000

WX3024H-F: 1 to 24000

WX3500H series

WX3508H

WX3510H

WX3520H

WX3520H-F

WX3540H

EWP-WX3508H

EWP-WX3510H

EWP-WX3520H

EWP-WX3520H-F

EWP-WX3540H

WX3508H: 1 to 24000

WX3510H: 1 to 24000

WX3520H: 1 to 60000

WX3520H-F: 1 to 60000

WX3540H: 1 to 60000

WX5500E series

WX5510E

WX5540E

EWP-WX5510E

EWP-WX5540E

1 to 24000

WX5500H series

WX5540H

WX5560H

WX5580H

EWP-WX5540H

EWP-WX5560H

EWP-WX5580H

1 to 60000

Access controller modules

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

LSUM1WCME0

EWPXM1WCME0

LSQM1WCMX20

LSUM1WCMX20RT

LSQM1WCMX40

LSUM1WCMX40RT

EWPXM2WCMD0F

EWPXM1MAC0F

1 to 60000

Hardware series

Model

Product code

Value range

WX1800H series

WX1804H

WX1810H

WX1820H

WX1840H

EWP-WX1804H-PWR

EWP-WX1810H-PWR

EWP-WX1820H

EWP-WX1840H-GL

1 to 6000

WX3800H series

WX3820H

WX3840H

EWP-WX3820H-GL

EWP-WX3840H-GL

1 to 60000

WX5800H series

WX5860H

EWP-WX5860H-GL

1 to 60000

Usage guidelines

When the maximum number of portal authentication failure records is reached, a new record overwrites the oldest one.

Examples

# Set the maximum number of portal authentication failure records to 50.

<Sysname> system-view

[Sysname] portal auth-fail-record max 50

Related commands

display portal auth-fail-record

portal authorization strict-checking

Use portal authorization strict-checking to enable strict checking on portal authorization information.

Use undo portal authorization strict-checking to disable strict checking on portal authorization information.

Syntax

portal authorization { acl | user-profile } strict-checking

undo portal authorization { acl | user-profile } strict-checking

Default

Strict checking mode on portal authentication information is disabled. If an authorized ACL or user profile does not exist on the device or the ACL or user profile fails to be deployed, the user will not be logged out.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

acl: Enables strict checking on authorized ACLs.

user-profile: Enables strict checking on authorized user profiles.

Usage guidelines

The strict checking feature on an interface or service template allows a portal user to stay online only when the authorization information for the user is successfully deployed. The strict checking fails if the authorized ACL or user profile does not exist on the device or the device fails to deploy the authorized ACL or user profile.

You can enable strict checking on the authorized ACL, authorized user profile, or both. If you enable both strict ACL checking and user profile checking, the user will be logged out if either checking fails.

Examples

# Enable strict checking on authorized ACLs on service template service1.

<Sysname> system-view  

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal authorization acl strict-checking

Related commands

display portal

portal captive-bypass optimize delay

Use portal captive-bypass optimize delay to set the captive-bypass detection timeout time.

Use undo portal captive-bypass optimize delay to restore the default.

Syntax

portal captive-bypass optimize delay seconds

undo portal captive-bypass optimize delay

Default

The captive-bypass detection timeout time is 6 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the captive-bypass detection timeout time, in the range of 1 to 120 seconds.

Usage guidelines

This command applies only to iOS mobile clients.

With optimized captive-bypass enabled, the device automatically pushes the portal authentication page to iOS mobile devices when they are connected to the network. Users can perform authentication on the page or press the home button to return to the desktop without performing authentication, and the Wi-Fi connection is not terminated.

Optimized captive-bypass might fail when the network condition is poor. The device cannot detect a server reachability detection packet from an iOS mobile device within the captive-bypass detection timeout time. Therefore, the Wi-Fi connection will be terminated on the iOS mobile device. To avoid Wi-Fi disconnections caused by server reachability detection failure, you can set a longer captive-bypass detection timeout time when the network condition is poor.

Examples

# Set the captive-bypass detection timeout time to 20 seconds.

<Sysname> system-view

[Sysname] portal captive-bypass optimize delay 20

Related commands

captive-bypass enable

portal client-gateway interface

Use portal client-gateway interface to specify the AC’s interface for portal clients to access during third-party authentication.

Use undo portal client-gateway interface to restore the default.

Syntax

portal client-gateway interface interface-type interface-number

undo portal client-gateway interface

Default

No AC's interface is specified for portal clients to access during third-party authentication.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

When client traffic is forwarded by APs and third-party portal authentication is used, the client does not know the IP address of the AC. For the client to access AC successfully, specify an interface of the AC, so the client can obtain the AC's IP address and access the AC.

Examples

# Specify VLAN-interface 100 on the AC for clients to access during third-party authentication.

<Sysname> system-view

[Sysname] portal client-gateway interface vlan-interface 10

portal client-traffic-report interval

Use portal client-traffic-report interval to set the interval at which an AP reports traffic statistics to the AC.

Use undo portal client-traffic-report interval to restore the default.

Syntax

portal client-traffic-report interval interval

undo portal client-traffic-report interval

Def