11-User Access and Authentication Command Reference

HomeSupportReference GuidesCommand ReferencesH3C Access Points Cloud Mode Command References(E2442 R2442)-6W10011-User Access and Authentication Command Reference
08-Portal commands
Title Size Download
08-Portal commands 853.35 KB

Contents

Portal commands· 1

aaa-fail nobinding enable· 1

aging-time· 1

app-id (Facebook authentication server view) 2

app-id (QQ authentication server view) 3

app-id (WeChat authentication server view) 4

app-key (Facebook authentication server view) 5

app-key (QQ authentication server view) 5

app-key (WeChat authentication server view) 6

app-secret 7

authentication-timeout 8

auth-url 9

binding-retry· 10

captive-bypass enable· 10

cloud-binding enable· 11

cloud-server url 12

default-logon-page· 13

display portal 14

display portal auth-error-record· 18

display portal auth-fail-record· 21

display portal captive-bypass statistics· 24

display portal dns free-rule-host 24

display portal dns redirect-rule-host 25

display portal extend-auth-server 26

display portal local-binding mac-address· 28

display portal logout-record· 29

display portal mac-trigger user 32

display portal mac-trigger-server 33

display portal packet statistics· 35

display portal permit-rule statistics· 40

display portal redirect session· 41

display portal redirect session-record· 42

display portal redirect session-statistics· 44

display portal redirect statistics· 44

display portal rule· 45

display portal safe-redirect statistics· 48

display portal server 50

display portal user 51

display portal user count 59

display portal user dhcp-lease· 60

display portal user dhcpv6-lease· 61

display portal web-server 62

display web-redirect rule· 64

exclude-attribute (MAC binding server view) 66

exclude-attribute (portal authentication server view) 68

free-traffic threshold· 70

if-match· 71

if-match temp-pass· 73

ip (MAC binding server view) 74

ip (portal authentication server view) 75

ipv6 (MAC binding server view) 76

ipv6 (portal authentication server view) 77

local-binding aging-time· 78

local-binding enable· 79

login failed-url 80

login success-url 80

logon-page bind· 81

logout-notify· 82

mail-domain-name· 83

mail-protocol 84

nas-port-type· 85

port (MAC binding server view) 85

port (portal authentication server view) 86

portal accounting-separate enable· 87

portal apply mac-trigger-server 87

portal apply web-server 88

portal auth-error-record enable· 89

portal auth-error-record export 90

portal auth-error-record max· 91

portal auth-fail-record enable· 92

portal auth-fail-record export 93

portal auth-fail-record max· 94

portal authorization strict-checking· 94

portal captive-bypass optimize delay· 95

portal cloud report interval 96

portal delete-user 97

portal device-id· 98

portal domain· 98

portal dual-ip enable· 99

portal dual-stack enable· 100

portal dual-stack traffic-separate enable· 101

portal enable (interface view) 101

portal enable (service template view) 102

portal extend-auth domain· 103

portal extend-auth-server 104

portal fail-permit server 105

portal fail-permit web-server 106

portal forbidden-rule· 107

portal free-all except destination· 108

portal free-rule· 109

portal free-rule description· 111

portal free-rule destination· 111

portal free-rule source· 113

portal host-check enable· 114

portal idle-cut dhcp-capture enable· 114

portal ipv6 free-all except destination· 115

portal ipv6 layer3 source· 116

portal ipv6 user-detect 117

portal layer3 source· 118

portal local-web-server 119

portal logout-record enable· 121

portal logout-record export 121

portal logout-record max· 122

portal mac-trigger-server 123

portal max-user 124

portal nas-id profile· 125

portal nas-port-id format 125

portal nas-port-type· 128

portal oauth user-sync interval 129

portal outbound-filter enable· 129

portal packet log enable· 130

portal pre-auth domain· 131

portal pre-auth ip-pool 132

portal redirect-rule· 133

portal redirect log enable· 134

portal redirect max-session per-user 135

portal refresh enable· 136

portal roaming enable· 136

portal safe-redirect default-action· 137

portal safe-redirect enable· 139

portal safe-redirect forbidden-file· 139

portal safe-redirect forbidden-url 140

portal safe-redirect method· 141

portal safe-redirect permit-url 142

portal safe-redirect user-agent 143

portal server 144

portal temp-pass enable· 145

portal traffic-accounting disable· 145

portal traffic-backup threshold· 146

portal url-param source-address code-base64· 147

portal user log enable· 147

portal user-detect 148

portal user-dhcp-only· 149

portal user-log traffic-separate· 150

portal user-logoff after-client-offline enable· 151

portal user-logoff ssid-switch enable· 151

portal web-server 152

portal wifidog user-sync interval 153

portal { bas-ip | bas-ipv6 } 154

portal { ipv4-max-user | ipv6-max-user } 155

redirect-url 156

reset portal auth-error-record· 156

reset portal auth-fail-record· 157

reset portal captive-bypass statistics· 158

reset portal local-binding mac-address· 158

reset portal logout-record· 159

reset portal packet statistics· 160

reset portal redirect session-record· 161

reset portal redirect session-statistics· 161

reset portal redirect statistics· 161

reset portal safe-redirect statistics· 162

server-detect (portal authentication server view) 162

server-detect (portal Web server view) 163

server-detect url 164

server-register 165

server-type (MAC binding server view) 166

server-type (portal authentication server view/portal Web server view) 167

shop-id· 168

subscribe-required enable· 169

tcp-port 169

url 170

url-parameter 171

user-agent 173

user-password modify enable· 174

user-sync· 174

version· 175

web-redirect url 176

 


Portal commands

aaa-fail nobinding enable

Use aaa-fail nobinding enable to enable AAA failure unbinding.

Use undo aaa-fail nobinding enable to restore the default.

Syntax

aaa-fail nobinding enable

undo aaa-fail nobinding enable

Default

AAA failure unbinding is disabled.

Views

MAC binding server view

Predefined user roles

network-admin

Usage guidelines

If a portal user fails AAA in MAC-trigger authentication, the user cannot trigger authentication before the MAC-trigger entry of the user ages out. After the MAC-trigger entry ages out, the user triggers MAC-trigger authentication when it accesses the network.

After AAA failure unbinding is enabled, the device sets the MAC-trigger entry state for a user to unbound immediately after the user fails AAA in MAC-trigger authentication. Before the user's MAC-trigger entry ages out, the user can trigger normal portal authentication.

Examples

# Enable AAA failure unbinding for MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] aaa-fail nobinding enable

Related commands

display portal mac-trigger-server

aging-time

Use aging-time to set the aging time for MAC-trigger entries.

Use undo aging-time to restore the default.

Syntax

aging-time seconds

undo aging-time

Default

The aging time for MAC-trigger entries is 300 seconds.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

seconds: Specifies the aging time for MAC-trigger entries. The value range is 60 to 7200 seconds.

Usage guidelines

With MAC-based quick portal authentication enabled, the device generates a MAC-trigger entry for a user when the device detects traffic from the user for the first time. The MAC-trigger entry records the following information:

·     MAC address of the user

·     Interface index

·     VLAN ID

·     Traffic statistics

·     Aging timer

When the aging time expires, the device deletes the MAC-trigger entry. The device re-creates a MAC-trigger entry for the user when it detects the user's traffic again.

Examples

# Specify the aging time as 300 seconds for MAC-trigger entries.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] aging-time 300

Related commands

display portal mac-trigger-server

app-id (Facebook authentication server view)

Use app-id to specify the app ID for Facebook authentication.

Use undo app-id to restore the default.

Syntax

app-id app-id

undo app-id

Default

No app ID is specified for Facebook authentication.

Views

Facebook authentication server view

Predefined user roles

network-admin

Parameters

app-id: Specifies the app ID for Facebook authentication.

Usage guidelines

If a portal user uses Facebook authentication, the Facebook server authenticates and authorizes the user and sends an authorization code to the device after the authentication and authorization succeed. Then, the device sends the authorization code, app ID, and app key to the Facebook server to determine whether the user has passed authentication and authorization.

Examples

# Specify 123456789 as the app ID for Facebook authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server facebook

[Sysname-portal-extend-auth-server-fb] app-id 123456789

Related commands

display portal extend-auth-server

app-id (QQ authentication server view)

Use app-id to specify the app ID for QQ authentication.

Use undo app-id to restore the default.

Syntax

app-id app-id

undo app-id

Default

An app ID for QQ authentication exists.

Views

QQ authentication server view

Predefined user roles

network-admin

Parameters

app-id: Specifies the app ID for QQ authentication.

Usage guidelines

To use QQ authentication for portal users, you must go to Tencent Open Platform (http://connect.qq.com/intro/login) to finish the following tasks:

1.     Register as a developer by using a valid QQ account.

2.     Apply the access to the platform for your website. The website is the webpage to which users are redirected after passing QQ authentication.

You will obtain the app ID and app key from the Tencent Open Platform after your application succeeds.

After a portal user passes QQ authentication, the QQ authentication server sends the authorization code of the user to the portal Web server. After the portal Web server receives the authorization code, it sends the authorization code of the user, the app ID, and the app key to the QQ authentication server for verification. If the information is verified as correct, the device determines that the user passes QQ authentication.

Examples

# Specify 101235509 as the app ID for QQ authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] app-id 101235509

Related commands

display portal extend-auth-server

app-id (WeChat authentication server view)

Use app-id to specify the app ID for WeChat authentication.

Use undo app-id to restore the default.

Syntax

app-id app-id

undo app-id

Default

No app ID is specified for WeChat authentication.

Views

WeChat authentication server view

Predefined user roles

network-admin

Parameters

app-id: Specifies the app ID for WeChat authentication.

Usage guidelines

The app ID specified in this command must be the same as the app ID obtained from the WeChat Official Account Admin Platform.

This configuration is required for the device to provide local WeChat authentication for portal users.

To obtain the app ID for WeChat authentication, you must perform the following tasks:

1.     Go to the WeChat Official Account Admin Platform (https://mp.weixin.qq.com) to apply a WeChat official account.

2.     Use the account to log in to the platform and enable the WeChat WiFi hotspot feature.

3.     Click the device management tab, add the device: select the shop where the device is deployed, select the portal device type, and enter the SSID of your WiFi network.

After the previous configurations, you will obtain the credentials (app ID, app key, and shop ID) for WeChat authentication.

When a WeChat user attempts to connect to the WiFi network provided in the specified shop, the device sends the credentials to the WeChat Official Account Platform for verification. After the credentials are verified, the device continues the portal authentication and allows the user to use the WiFi network after the authentication.

Examples

# Specify wx23fb4aaf04b8491e as the app ID for WeChat authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server wechat

[Sysname-portal-extend-auth-server-wechat] app-id wx23fb4aaf04b8491e

Related commands

display portal extend-auth-server

app-key (Facebook authentication server view)

Use app-key to specify the app key for Facebook authentication.

Use undo app-key to restore the default.

Syntax

app-key { cipher | simple } app-key

undo app-key

Default

No app key is specified for Facebook authentication.

Views

Facebook authentication server view

Predefined user roles

network-admin

Parameters

cipher: Specifies the app key in encrypted form.

simple: Specifies the app key in plaintext form.

app-key: Specifies the app key string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

If a portal user uses Facebook authentication, the Facebook server authenticates and authorizes the user and sends an authorization code to the device after the authentication and authorization succeed. Then, the device sends the authorization code, app ID, and app key to the Facebook server to determine whether the user has passed authentication and authorization.

Examples

# Specify 123 in plaintext form as the app key for Facebook authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server facebook

[Sysname-portal-extend-auth-server-fb] app-key simple 123

Related commands

display portal extend-auth-server

app-key (QQ authentication server view)

Use app-key to specify the app key for QQ authentication.

Use undo app-key to restore the default.

Syntax

app-key { cipher | simple } app-key

undo app-key

Default

An app key for QQ authentication exists.

Views

QQ authentication server view

Predefined user roles

network-admin

Parameters

cipher: Specifies the app key in encrypted form.

simple: Specifies the app key in plaintext form.

app-key: Specifies the app key string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

To use QQ authentication for portal users, you must go to Tencent Open Platform (http://connect.qq.com/intro/login) to finish the following tasks:

1.     Register as a developer by using a valid QQ account.

2.     Apply the access to the platform for your website. The website is the webpage to which users are redirected after passing QQ authentication.

You will obtain the app ID and app key from the Tencent Open Platform after your application succeeds.

After a portal user passes QQ authentication, the QQ authentication server sends the authorization code of the user to the portal Web server. After the portal Web server receives the authorization code, it sends the authorization code of the user, the app ID, and the app key to the QQ authentication server for verification. If the information is verified as correct, the device determines that the user passes QQ authentication.

Examples

# Specify 8a5428e6afdc3e2a2843087fe73f1507 in plaintext form as the app key for QQ authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] app-key simple 8a5428e6afdc3e2a2843087fe73f1507

Related commands

display portal extend-auth-server

app-key (WeChat authentication server view)

Use app-key to specify the app key for WeChat authentication.

Use undo app-key to restore the default.

Syntax

app-key { cipher | simple } app-key

undo app-key

Default

No app key is specified for WeChat authentication.

Views

WeChat authentication server view

Predefined user roles

network-admin

Parameters

cipher: Specifies the app key in encrypted form.

simple: Specifies the app key in plaintext form.

app-key: Specifies the app key string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

This configuration is required for the device to provide local WeChat authentication for portal users. The app key specified in this command must be the same as the app key obtained from the WeChat Official Account Admin Platform.

To obtain the app key for WeChat authentication, you must perform the following tasks:

1.     Go to the WeChat Official Account Admin Platform (https://mp.weixin.qq.com) to apply a WeChat official account.

2.     Use the account to log in to the platform and enable the WeChat WiFi hotspot feature.

3.     Click the device management tab, add the device: select the shop where the device is deployed, select the portal device type, and enter the SSID of your WiFi network.

After the previous configurations, you will obtain the credentials (app ID, app key, and shop ID) for WeChat authentication.

When a WeChat user attempts to connect to the WiFi network provided in the specified shop, the device sends the credentials to the WeChat Official Account Platform for verification. After the credentials are verified, the device continues the portal authentication and allows the user to use the WiFi network after the authentication.

Examples

 # Specify nqduqg4816689geruhq3 in plaintext form as the app key for WeChat authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server wechat

[Sysname-portal-extend-auth-server-wechat] app-key simple nqduqg4816689geruhq3

Related commands

display portal extend-auth-server

app-secret

Use app-secret to specify the app secret for WeChat authentication.

Use undo app-secret to restore the default.

Syntax

app-secret { cipher | simple } string

undo app-secret

Default

No app secret is specified for WeChat authentication.

Views

WeChat authentication server view

Predefined user roles

network-admin

Parameters

cipher: Specifies the app secret in encrypted form.

simple: Specifies the app secret in plaintext form.

app-key: Specifies the app secret string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

When the subscribe-required feature is enabled, you must specify the app secret for WeChat authentication on the device.

To obtain the app secret for WeChat authentication, perform the following tasks:

1.     Use a WeChat official account to log in to the WeChat Official Account Admin Platform.

For more information about the WeChat official account, see WeChat authentication configuration in Security Configuration Guide.

2.     From the navigation tree, select Developer Centers.

In the Configuration Items area, you can see the app secret for the WeChat Official account.

Examples

# Specify nqduqg4816689geruhq3 in plaintext form as the app secret for WeChat authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server wechat

[Sysname-portal-extend-auth-server-wechat] app-secret simple nqduqg4816689geruhq3

authentication-timeout

Use authentication-timeout to set the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving the MAC binding query response.

Use undo authentication-timeout to restore the default.

Syntax

authentication-timeout minutes

undo authentication-timeout

Default

The authentication timeout time is 3 minutes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

minutes: Specifies the authentication timeout in the range of 1 to 15 minutes.

Usage guidelines

Upon receiving the MAC binding query response of a user from the MAC binding server, the device starts an authentication timeout timer for the user. When the timer expires, the device deletes the MAC-trigger entry of the user.

Examples

# Set the authentication timeout to 10 minutes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] authentication-timeout 10

Related commands

display portal mac-trigger-server

auth-url

Use auth-url to specify the URL of the QQ or Facebook authentication server.

Use undo auth-url to delete the URL of the QQ or Facebook authentication server.

Syntax

auth-url url-string

undo auth-url

Default

The URL of QQ authentication server is https://graph.qq.com.

The URL of Facebook authentication server is https://graph.facebook.com.

Views

QQ authentication server view

Facebook authentication server view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL of the QQ or Facebook authentication server, a case-sensitive string of 1 to 256 characters. Make sure that you specify the actual URL of the QQ or Facebook authentication server.

Examples

# Specify http://oauth.qq.com/ as the URL of the QQ authentication server.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] auth-url http://oauth.qq.com

# Specify http://oauth.facebook.com as the URL of the Facebook authentication server.

<Sysname> system-view

[Sysname] portal extend-auth-server facebook

[Sysname-portal-extend-auth-server-fb] auth-url http://oauth.facebook.com

Related commands

display portal extend-auth-server

binding-retry

Use binding-retry to specify the maximum number of attempts and the interval for sending MAC binding queries to the MAC binding server.

Use undo binding-retry to restore the default.

Syntax

binding-retry { retries | interval interval } *

undo binding-retry

Default

The maximum number of query attempts is 3 and the query interval is 1 second.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

retries: Specifies the maximum number of MAC binding query attempts, in the range of 1 to 10.

interval interval: Specifies the query interval in the range of 1 to 60 seconds.

Usage guidelines

If the device does not receive a response from the MAC binding server after the maximum number is reached, the device determines that the MAC binding server is unreachable. The device performs normal portal authentication for the user. The user needs to enter the username and password for authentication.

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Set the maximum number of MAC binding query attempts to 3 and the query interval to 60 seconds.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] binding-retry 3 interval 60

Related commands

display portal mac-trigger-server

captive-bypass enable

Use captive-bypass enable to enable the captive-bypass feature.

Use undo captive-bypass enable to disable the captive-bypass feature.

Syntax

captive-bypass [ android | ios [ optimize ] ] enable

undo captive-bypass [ android | ios [ optimize ] ] enable

Default

The captive-bypass feature is disabled. The device automatically pushes the portal authentication page to the iOS devices and some Android devices when they are connected to the network.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

android: Enables the captive-bypass feature for Android users.

ios: Enables the captive-bypass feature for iOS users.

optimize: Enables the optimized captive-bypass feature.

Usage guidelines

With the captive-bypass feature enabled, the device does not automatically push the portal authentication page to iOS devices and some Android devices when they are connected to the network. The device pushes the portal authentication page only when the user accesses the Internet by using a browser.

The optimized captive-bypass feature applies only to iOS mobile devices. The device automatically pushes the portal authentication page to iOS mobile devices when they are connected to the network. Users can press the home button to return to the desktop without triggering portal authentication, and the Wi-Fi connection is not terminated.

You cannot enable the captive-bypass feature for both Android and iOS users. If you execute this command multiple times, the most recent configuration takes effect.

If you do not specify any parameters, this command enables the captive-bypass feature for both Android and iOS users.

Examples

# Enable the captive-bypass feature.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] captive-bypass enable

# Enable the optimized captive-bypass feature for iOS users.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] captive-bypass ios optimize enable

# Enable the captive-bypass feature for Android users.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] captive-bypass android enable

Related commands

display portal captive-bypass statistics

display portal web-server

cloud-binding enable

Use cloud-binding enable to enable cloud MAC-trigger authentication.

Use undo cloud-binding enable to disable cloud MAC-trigger authentication.

Syntax

cloud-binding enable

undo cloud-binding enable

Default

Cloud MAC-trigger authentication is disabled.

Views

MAC binding server view

Predefined user roles

network-admin

Usage guidelines

The cloud MAC-trigger authentication feature enables the cloud server to provide automated authentication to users as a unified portal authentication, portal Web, and MAC binding server. Users are required to perform manual authentication (entering the username and password) only for the first network access. They are automatically connected to the network without manual authentication for subsequent network access attempts.

Examples

# Enable cloud MAC-trigger authentication for MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] cloud-binding enable

Related commands

display portal mac-trigger-server

cloud-server url

Use cloud-server url to specify the URL of the cloud portal authentication server.

Use undo cloud-server url to restore the default.

Syntax

cloud-server url url-string

undo cloud-server url

Default

The URL of the cloud portal authentication server is not specified. The device uses the URL of the portal Web server as the URL of the cloud portal authentication server.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL of a cloud portal authentication server. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

Usage guidelines

To separate portal authentication and Web servers, specify the cloud portal authentication server URL by using this command, and specify a different URL for the portal Web server. In this way, you can use a different portal Web server to provide customized authentication pages to users.

Examples

# In the view of MAC binding server mts, specify http://lvzhou.h3c.com as the URL of the cloud portal authentication server.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] cloud-server url http://lvzhou.h3c.com

Related commands

display portal mac-trigger-server

default-logon-page

Use default-logon-page to specify the default authentication page file for a local portal Web service.

Use undo default-logon-page to restore the default.

Syntax

default-logon-page file-name

undo default-logon-page

Default

The default authentication page file for a local portal Web service is file defaultfile.zip.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

file-name: Specifies the default authentication page file by the file name (without the file storage directory). The file name is a case-sensitive string of 1 to 91 characters. Valid characters are letters, digits, dots (.) and underscores (_).

Usage guidelines

You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages. The device then sets them as the default authentication pages for local portal authentication.

Examples

# Specify file pagefile1.zip as the default authentication page file for local portal authentication.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] default-logon-page pagefile1.zip

Related commands

portal local-web-server

display portal

Use display portal to display portal configuration and portal running state.

Syntax

display portal { ap ap-name [ radio radio-id ] | interface interface-type interface-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays portal configuration and portal running state for all radios of the AP.

interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display portal configuration and portal running state on AP fatap.

<Sysname> display portal ap fatap

 Portal information of fatap

 Radio ID: 1

 SSID: portal

     Authorization : Strict checking

     ACL           : Disable

     User profile  : Disable

     Dual stack    : Disabled

     Dual IP       : Disabled

     Dual traffic-separate: Disabled

 IPv4:

     Portal status: Enabled

     Portal authentication method: Direct

     Portal Web server: wbs(active)

     Secondary portal Web server: wbs sec

     Portal mac-trigger-server: mts

     Authentication domain: my-domain

     Extend-auth domain: def

     User-dhcp-only: Enabled

     Max portal users: 1024

     Bas-ip: 2.2.2.2

     Action for sever detection:

         Server type      Server name           Action

         Web server       wbs                   fail-permit

         Portal server    pts                   fail-permit

     Destination authentication subnet:

         IP address                             Mask

         2.2.2.2                                255.255.0.0

 IPv6:

     Portal status: Enabled

     Portal authentication method: Direct

     Portal Web server: wbsv6(active)

     Secondary portal Web server: Not configured

     Authentication domain: my-domain

     Extend-auth domain: Not configured

     User-dhcp-only: Disabled

     Max portal users: 512

     Bas-ipv6: 2000::1     

     Action for sever detection:

         Server type      Server name           Action

         Web server       wbsv6                 fail-permit

         Portal server    ptsv6                 fail-permit

     Destination authentication subnet:

         IP address                             Prefix length

3000::1                                64

# Display portal configuration and portal running state on VLAN-interface 30.

<Sysname> display portal interface Vlan-interface 30

 Portal information of Vlan-interface30

     NAS-ID profile: Not configured

     Authorization : Strict checking

     ACL           : Disable

     User profile  : Disable

     Dual stack    : Disabled

     Dual IP       : Disabled

     Dual traffic-separate: Disabled

 IPv4:

     Portal status: Enabled

     Portal authentication method: Direct

     Portal Web server: pt(active)

     Secondary portal Web server: wbs sec

     Authentication domain: test

     Pre-auth domain: Not configured

     Extend-auth domain: def

     User-dhcp-only: Disabled

     Pre-auth IP pool: Not configured

     Max portal users: Not configured

     Bas-ip: Not configured

     User detection: Not configured

     Portal temp-pass: Enabled,       Period: 30s

     Action for server detection:

         Server type    Server name                        Action

         --             --                                 --

     Layer3 source network:

         IP address               Mask

 

     Destination authentication subnet:

         IP address               Mask

 IPv6:

     Portal status: Disabled

     Portal authentication method: Disabled

     Portal Web server: Not configured

     Secondary portal Web server: Not configured

     Authentication domain: Not configured

     Pre-auth domain: Not configured

     User-dhcp-only: Disabled

     Pre-auth IP pool: Not configured

     Max portal users: Not configured

     Extend-auth domain: Not configured

     Bas-ipv6: Not configured

     User detection: Not configured

     Portal temp-pass: Disabled

     Action for server detection:

         Server type    Server name                        Action

         --             --                                 --

     Layer3 source network:

         IP address                                        Prefix length

 

     Destination authentication subnet:

         IP address                                        Prefix length

Table 1 Command output

Field

Description

Portal information of interface

Portal configuration on the interface.

Radio ID

ID of the radio.

SSID

Service set identifier.

NAS-ID profile

NAS-ID profile on the interface.

Authorization

Authorization information type: ACL or user profile.

Strict checking

Whether strict checking is enabled on portal authorization information.

Dual stack

Status of the portal dual-stack feature on the interface:

·     Disabled.

·     Enabled.

Dual IP

Status of the dual IP feature, disabled or enabled.

This feature enables the device to carry both an IPv4 address and an IPv6 address in RADIUS packets for single-stack users in remote portal authentication.

Dual traffic-separate

Status of separate IPv4 and IPv6 traffic statistics for dual-stack portal users on the interface:

·     Disabled.

·     Enabled.

IPv4

IPv4 portal configuration.

IPv6

IPv6 portal configuration.

Portal status

Portal authentication status on the interface:

·     Disabled—Portal authentication is disabled.

·     Enabled—Portal authentication is enabled.

·     Authorized—The portal authentication server or portal Web server is unreachable. The interface allows users to have network access without authentication.

Portal authentication method

Type of authentication enabled on the interface:

·     Direct—Direct authentication.

·     Redhcp—Re-DHCP authentication.

·     Layer3—Cross-subnet authentication.

Portal Web server

Name of the primary portal Web server specified on the interface.

This field displays the (active) flag next to the server name if the server is being used.

Secondary portal Web server

Name of the backup portal Web server specified on the interface.

This field displays the (active) flag next to the server name if the server is being used.

Portal mac-trigger-server

Name of the MAC binding server specified on the interface.

Authentication domain

Mandatory authentication domain on the interface.

Pre-auth domain

Preauthentication domain for portal users on the interface.

Extend-auth domain

Authentication domain configured for third-party authentication on an interface or service template.

User-dhcp-only

Status of the user-dhcp-only feature:

·     Enabled—Only users with IP addresses obtained through DHCP can perform portal authentication.

·     Disabled—Both users with IP addresses obtained through DHCP and users with static IP addresses can pass authentication to get online.

Pre-auth ip-pool

Name of the IP address pool specified for portal users before authentication.

Max portal users

Maximum number of portal users allowed on an interface.

Bas-ip

BAS-IP attribute of the portal packets sent to the portal authentication server.

Bas-ipv6

BAS-IPv6 attribute of the portal packets sent to the portal authentication server.

User detection

Configuration for online detection of portal users on the interface, including detection method (ARP, ICMP, ND, or ICMPv6), detection interval, maximum number of detection attempts, and user idle time.

Portal temp-pass

Status of the temporary pass feature:

·     Enabled—The temporary pass feature is enabled.

·     Disabled—The temporary pass feature is disabled.

·     Period—Temporary pass period during which a user can access the Internet temporarily. This field is displayed only if the temporary pass feature is enabled.

Action for server detection

Portal server detection configuration on the interface:

·     Server type—Type of the server. Portal server represents the portal authentication server, and Web server represents the portal Web server.

·     Server name—Name of the server.

·     Action—Action triggered by the result of server detection. This field displays fail-permit when the portal fail-permit feature is enabled.

Layer3 source network

Information of the portal authentication source subnet.

Destination authentication subnet

Information of the portal authentication destination subnet.

IP address

IP address of the portal authentication subnet.

Mask

Subnet mask of the portal authentication subnet.

Prefix length

Prefix length of the IPv6 portal authentication subnet address.

 

display portal auth-error-record

Use display portal auth-error-record to display portal authentication error records.

Syntax

display portal auth-error-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all portal authentication error records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

Examples

# Display all portal authentication error records.

<Sysname> display portal auth-error-record all

Total authentication error records: 2

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth error time        : 2016-03-04 16:49:07

Auth error reason      : The maximum number of users already reached.

 

User MAC               : 0016-ecb7-a235

Interface              : Vlan-interface100

User IP address        : 192.168.0.10

AP                     : ap1

SSID                   : byod

Auth error time        : 2016-03-04 16:51:07

Auth error reason      : The maximum number of users already reached.

# Display portal authentication error records for the portal user whose IPv4 address is 192.168.0.188.

<Sysname> display portal auth-error-record ip 192.168.0.188

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth error time        : 2016-03-04 16:49:07

Auth error reason      : The maximum number of users already reached.

# Display portal authentication error records for the portal user whose IPv6 address is 2000::2.

<Sysname> display portal auth-error-record ipv6 2000::2

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 2000::2

AP                     : ap1

SSID                   : byod

Auth error time        : 2016-03-04 16:49:07

Auth error reason      : The maximum number of users already reached.

# Display portal authentication error records with the error time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.

<Sysname> display portal auth-error-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth error time        : 2016-03-04 14:22:25

Auth error reason      : The maximum number of users already reached.

Table 2 Command output

Field

Description

Total authentication error records

Total number of portal authentication error records.

User MAC

MAC address of the portal user.

Interface

Access interface of the portal user.

User IP address

IP address of the portal user.

AP

AP name.

SSID

Service set identifier.

Auth error time

Time when the portal user encountered an authentication error, in the format of YYYY-MM-DD hh:mm:ss.

Auth error reason

Reason for the authentication error:

·     The maximum number of users already reached.

·     Failed to obtain user physical information.

·     Failed to receive the packet because packet length is 0.

·     Packet source unknown. Server IP:X.X.X.X, VRF index:0.

·     Packet validity check failed because packet length and version don't match.

·     Packet type invalid.

·     Packet validity check failed due to invalid authenticator.

·     Memory insufficient.

·     Portal is disabled on the interface.

·     The maximum number of users on the interface already reached.

·     Failed to get the access token of the cloud user.

·     Failed to get the user information of the cloud user.

·     Failed to get the access token of the QQ user.

·     Failed to get the openID of the QQ user.

·     Failed to get the user information of the QQ user.

·     Email authentication failed.

·     Failed to get the access token of the Facebook user.

·     Failed to get the user information of the Facebook user.

·     Invalid JSON format of the access token for the cloud user.

·     Invalid JSON format of the user information for the cloud user.

·     Failed to get the user information of the local WeChat user.

·     Invalid access token or App secret.

·     Access token expired.

·     Invalid App ID.

·     Invalid device IP. The IP is not in the whitelist of the WeChat platform.

·     API unauthorized.

·     The WeChat user does not follow the WeChat official account.

·     Failed to create the user because VSRP was down on the interface.

·     Connection to the cloud server timed out.

·     Failed to connect to the cloud server.

·     Failed to get curl resource to request cloud access token.

·     Failed to get curl resource to request cloud user information.

·     Other connection error.

·     No parameters found in the authentication request.

·     Missing authentication parameters such as code, auth-type, portal_server.

·     Cloud user information retrieval timed out.

·     Local WeChat user information retrieval timed out.

·     Failed to create the PAM handle.

·     Failed to set PAM items for authentication.

·     NasPortType is wireless.

·     Packet validity check failed because of invalid packet mode.

·     The user doesn't follow the WeChat official account. Returned 200 OK.

·     User log on while the device is requesting the access token.

·     No matching local MAC-trigger binding entry.

·     Failed to update the local MAC-trigger rule.

·     Failed to get physical info by IP. Ignored the new MAC event.

·     Updated the state of the MAC-trigger rule to no bind when authentication failed.

·     Failed to get binding info for the user from the MAC-trigger server.

·     No matching binding info for the user from the MAC-trigger server.

·     Failed to update the MAC-trigger rule when processing ACK-MAC-BIND.

·     Failed to receive a packet from the portal server.

 

Related commands

portal auth-error-record enable

reset auth-error-record

display portal auth-fail-record

Use display portal auth-fail-record to display portal authentication failure records.

Syntax

display portal auth-fail-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all portal authentication failure records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Display all portal authentication failure records.

<Sysname> display portal auth-fail-record all

Total authentication fail records: 2

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 16:49:07

Auth failure reason    : Authorization information does not exist.

 

User name              : coco

User MAC               : 0016-ecb7-a235

Interface              : Vlan-interface100

User IP address        : 192.168.0.10

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 16:50:07

Auth failure reason    : Authorization information does not exist.

# Display portal authentication failure records for the portal user whose IPv4 address is 192.168.0.8.

<Sysname> display portal auth-fail-record ip 192.168.0.188

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 16:49:07

Auth failure reason    : Authorization information does not exist.

# Display portal authentication failure records for the portal user whose IPv6 address is 2000::2.

<Sysname> display portal auth-fail-record ipv6 2000::2

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 2000::2

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 16:49:07

Auth failure reason    : Authorization information does not exist.

# Display portal authentication failure records for the portal user whose username is chap1.

<Sysname> display portal auth-fail-record username chap1

User name              : chap1

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 16:49:07

Auth failure reason    : Authorization information does not exist.

# Display portal authentication failure records with the failure time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.

<Sysname> display portal auth-fail-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23

User name              : chap1

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.188

AP                     : ap1

SSID                   : byod

Auth failure time      : 2016-03-04 14:22:25

Auth failure reason    : Authorization information does not exist.

Table 3 Command output

Field

Description

Total authentication fail records

Total number of portal authentication failure records.

User name

Username of the portal user.

User MAC

MAC address of the portal user.

Interface

Access interface of the portal user.

User IP address

IP address of the portal user.

AP

AP name.

SSID

Service set identifier.

Auth failure time

Time when the portal user failed authentication, in the format of YYYY/MM/DD hh:mm:ss.

Auth failure reason

Reason why the user failed portal authentication:

·     Failed to get physical information.

·     ACL does not exist.

·     User profile does not exist.

·     Group profile does not exist.

·     ACL authorization failed.

·     QoS deployment failed on LIP.

·     User profile deployment failed on LIP.

·     Group profile deployment failed on LIP.

·     User car deployment failed on LIP.

·     AAA authorization failed.

·     Failed to get valid authorization information from AAA.

·     AAA accounting failed.

·     AAA authentication failed.

·     AAA returned an error.

·     Failed to set PAM items for authentication.

·     AAA server unreachable.

 

Related commands

portal auth-fail-record enable

reset portal auth-fail-record

display portal captive-bypass statistics

Use display portal captive-bypass statistics to display packet statistics for portal captive-bypass.

Syntax

display portal captive-bypass statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display portal captive-bypass packet statistics.

<Sysname> display portal captive-bypass statistics

User type       Packets

iOS:            1

Android:        0

Table 4 Command output

Field

Description

User type

Type of users:

·     iOS.

·     Android.

Packets

Number of portal captive-bypass packets sent to the users.

 

Related commands

captive-bypass enable

display portal dns free-rule-host

Use display portal dns free-rule-host to display IP addresses corresponding to host names in destination-based portal-free rules.

Syntax

display portal dns free-rule-host [ host-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

host-name: Specifies a host by its name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, hyphens (-), underscores (_), dots (.), and wildcards (asterisks *). The host name cannot be ip or ipv6. If you do not specify a host name, this command displays IP addresses corresponding to all host names in destination-based portal-free rules.

Examples

# Display IP addresses corresponding to host name http://www.baidu.com/ in a destination-based portal-free rule.

<Sysname> display portal dns free-rule-host www.baidu.com

 Host name                     IP

 www.baidu.com                 10.10.10.10

# Display IP addresses corresponding to host name *abc.com in a destination-based portal-free rule.

<Sysname> display portal dns free-rule-host *abc.com

 Host name                     IP

 *abc.com                      12.12.12.12

                               111.8.33.100

                               3.3.3.3

Table 5 Command output

Field

Description

Host name

Host name specified in a destination-based portal-free rule.

IP

IP address corresponding to the host name.

 

display portal dns redirect-rule-host

Use display portal dns redirect-rule-host to display IP addresses resolved by host names in destination-based portal redirection rules.

Syntax

display portal dns redirect-rule-host [ host-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

host-name: Specifies a host name, a case-insensitive string of 1 to 253 characters. Valid characters include letters, digits, hyphens (-), underscores (_), and dots (.). If you do not specify a host name, this command displays IP addresses resolved by all host names in all destination-based portal redirection rules.

Usage guidelines

For destination-based portal redirection rules that specify host names, the device will resolve the host names to IP addresses. Use this command to display IP addresses that are resolved by the host names in redirection rules.

The system can save a maximum of 16 resolved IPv4 addresses and 16 resolved IPv6 addresses. If the maximum number is reached, the new resolved IP address will override the oldest resolved IP address.

Examples

# Display IP addresses resolved by host name www.baidu.com in a destination-based portal redirection rule.

<Sysname> display portal dns redirect-rule-host www.baidu.com

 Host name                     IP

 www.baidu.com                 10.10.10.10

# Display IP addresses resolved by host name www.abc.com in a destination-based portal redirection rule.

<Sysname> display portal dns redirect-rule-host www.abc.com

 Host name                     IP

 www.abc.com                   12.12.12.12

                               111.8.33.100

                               3.3.3.3

# Display IP addresses resolved by all host names in all destination-based portal redirection rules.

<Sysname> display portal dns redirect-rule-host

 Host name                     IP

www.baidu.com                  10.10.10.10

 www.abc.com                   12.12.12.12

                               111.8.33.100

                               3.3.3.3

Table 6 Command output

Field

Description

Host name

Host name in a destination-based portal redirection rule.

IP

IP address resolved by the host name.

 

Related commands

portal redirect-rule destination

display portal extend-auth-server

Use display portal extend-auth-server to display information about third-party authentication servers.

Syntax

display portal extend-auth-server { all | facebook | mail | qq | wechat }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all third-party authentication servers.

facebook: Specifies the Facebook authentication server.

mail: Specifies the email authentication server.

qq: Specifies the QQ authentication server.

wechat: Specifies the WeChat authentication server.

Examples

# Display information about all third-party authentication servers.

<Sysname> display portal extend-auth-server all

Portal extend-auth-server: qq

   Authentication URL : http://graph.qq.com

   APP ID            : 101235509

   APP key           : ******

   Redirect URL      : http://oauthindev.h3c.com/portal/qqlogin.html

Portal extend-auth-server: mail

   Mail protocol      : POP3

   Mail domain name   : @qq.com

Portal extend-auth-server: wechat

  App ID             : wx23fb4aaf04b8491e

  App key            : ******

  App secret         : ******

  Subscribe-required : Enabled

  Shop ID            : 6747662

Portal extend-auth-server: facebook

   Authentication URL : https://graph.facebook.com

   APP ID             : 123456789

   APP key            : ******

   Redirect URL       : http://oauthindev.h3c.com/portal/fblogin.html

Table 7 Command output

Field

Description

Portal extend-auth-server

Type of the third-party authentication server.

Authentication URL

URL of the third-party authentication server.

APP ID

App ID for the third-party authentication.

APP key

App key for the third-party authentication.

APP secret

App secret for WeChat authentication.

Subscribe-required

Status of the subscribe-required feature:

·     Enabled.

·     Disabled.

Redirect URL

URL to which portal users are redirected after they pass third-party authentication.

Mail protocol

Protocols of the email authentication service.

Mail domain name

Email domain name of the email authentication service.

Shop ID

ID of the shop where the device is deployed as a portal device for WeChat authentication.

 

Related commands

portal extend-auth-server

display portal local-binding mac-address

Use display portal local-binding mac-address to display information about local MAC-account binding entries on the local MAC binding server.

Syntax

display portal local-binding mac-address { mac-address | all }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

mac-address: Specifies the MAC address of a portal user, in the format H-H-H.

all: Specifies all local MAC-account binding entries.

Examples

# Display information about all local MAC-account binding entries.

<Sysname> display portal local-binding mac-address all

Total MAC addresses: 5

MAC address                Username            Aging(hh:mm:ss)

0015-e9a6-7cfe             wlan_user1          00:41:38

0000-e27c-6e80             wlan_user2          00:41:38

000f-e212-ff01             wlan_user3          00:41:38

001c-f08f-f804             wlan_user4          00:41:38

000f-e233-9000             wlan_user5          00:41:38

# Display information about the local MAC-account binding entry for the user with MAC address 0015-e9a6-7cfe.

<Sysname> display portal local-binding mac-address 0015-e9a6-7cfe

Total MAC addresses: 1

MAC address                Username            Aging(hh:mm:ss)

0015-e9a6-7cfe             wlan_user1          00:41:38

Table 8 Command output

Field

Description

MAC address

MAC address of a portal user.

Username

Username of a portal user.

Aging

Remaining lifetime of the local MAC-account binding entry.

 

Related commands

local-binding enable

display portal logout-record

Use display portal logout-record to display portal user offline records.

Syntax

display portal logout-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all portal user offline records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Display all portal user offline records.

<Sysname> display portal logout-record all

Total logout records: 2

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.8

AP                     : ap1

SSID                   : byod

User login time        : 2016-03-04 14:20:19

User logout time       : 2016-03-04 14:22:05

Logout reason          : Admin Reset

 

User name              : coco

User MAC               : 0016-ecb7-a235

Interface              : Vlan-interface100

User IP address        : 192.168.0.10

AP                     : ap1

SSID                   : byod

User login time        : 2016-03-04 14:10:15

User offline time      : 2016-03-04 14:22:05

Offline reason         : Admin Reset

# Display offline records for the portal user whose IP address is 192.168.0.8.

<Sysname> display portal logout-record ip 192.168.0.8

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.8

AP                     : ap1

SSID                   : byod

User login time        : 2016-03-04 14:26:12

User logout time       : 2016-03-04 14:27:35

Logout reason          : Admin Reset

# Display offline records for the portal user whose username is chap1.

<Sysname> display portal logout-record username chap1

User name              : chap1

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.8

AP                     : ap1

SSID                   : byod

User login time        : 2016-03-04 17:20:19

User logout time       : 2016-03-04 17:22:05

Logout reason          : Admin Reset

# Display portal user offline records with the logout time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.

<Sysname> display portal logout-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23

User name              : test@abc

User MAC               : 0016-ecb7-a879

Interface              : Vlan-interface100

User IP address        : 192.168.0.8

AP                     : ap1

SSID                   : byod

User login time        : 2016-03-04 14:20:19

User logout time       : 2016-03-04 14:22:05

Logout reason          : Admin Reset

Table 9 Command output

Field

Description

Total logout records

Total number of portal user offline records.

User name

Username of the portal user.

User MAC

MAC address of the portal user.

Interface

Access interface of the portal user.

User IP address

IP address of the portal user.

AP

AP name.

SSID

Service set identifier.

User login time

Time when the portal user came online, in the format of YYYY-MM-DD hh:mm:ss.

User logout time

Time when the portal user went offline, in the format of YYYY-MM-DD hh:mm:ss.

Logout reason

Reason why the portal user went offline:

·     User request.

·     DHCP entry deleted.

·     Idle timeout.

·     Session timeout.

·     User detection failure.

·     Force logout by RADIUS server.

·     Interface down.

·     Failed to assign a user rule.

·     Authorization info changed.

·     Force logout by access device.

·     User info synchronization failure.

·     User recovery failure.

·     Authorization ACL for the online user changed.

·     Authorization user profile for the online user changed.

·     Accounting update failure.

·     Failed to start accounting.

·     User traffic reached threshold.

·     Authorization ACL does not exist.

·     Failed to get physical info.

·     Failed to add an ARP or ND entry for the user.

·     User information does not match user profile.

·     Authorization user profile does not exist.

·     Failed to issue the user rule to the AP.

·     Deleted the user for SSID switchover.

·     Failed to issue an OpenFlow rule to the AP.

·     Logged out the user after the wireless client disconnected.

·     Logged out the user when a new user with the same MAC address performed MAC-trigger authentication.

·     Logged out the user when a new dual-stack user with the same MAC address came online.

·     The portal server failed to instruct the device to change the user IP address.

·     DHCP received a DHCP release packet.

·     DHCP lease expired.

·     DHCP received a DHCP release packet from the WLAN roaming center.

·     WLAN roaming center instructed portal to log out the user.

·     Logged out the user after user synchronization through WiFiDog.

·     The cloud portal server instructed portal to log out the user.

 

Related commands

portal logout-record enable

reset portal logout-record

display portal mac-trigger user

Use display portal mac-trigger user to display information about MAC-trigger authentication users (portal users that perform MAC-trigger authentication).

Syntax

display portal mac-trigger user { all | ip ipv4-address | mac mac-address }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all MAC-trigger authentication users.

ip ipv4-address: Specifies a MAC-trigger authentication user by its IP address.

mac mac-address: Specifies a MAC-trigger authentication user by its MAC address, in the format of H-H-H.

Examples

# Display information about all MAC-trigger authentication users.

<Sysname> display portal mac-trigger user all

Total portal mac-trigger users: 8

MAC address      IP address     VLAN ID   Interface          Traffic(Bytes)  State

0050-ba50-732a   1.1.1.6        1         Vlan-interface1    0               NOBIND

0050-ba50-7328   1.1.1.4        1         Vlan-interface1    0               NOBIND

0050-ba50-7326   1.1.1.2        1         Vlan-interface1    0               NOBIND

0050-ba50-732c   1.1.1.8        1         Vlan-interface1    0               NOBIND

0050-ba50-7329   1.1.1.5        1         Vlan-interface1    0               NOBIND

# Display information about the MAC-trigger authentication user whose MAC address is 0050-ba50-7777.

<Sysname> display portal mac-trigger user mac 0050-ba50-7777

MAC address      IP address     VLAN ID   Interface          Traffic(Bytes)  State

0050-ba50-777    1.1.5.83       1         Vlan-interface1    0               NOBIND

# Display information about the MAC-trigger authentication user whose IP address is 1.1.2.126.

<Sysname> display portal mac-trigger user ip 1.1.2.126

MAC address      IP address     VLAN ID   Interface          Traffic(Bytes)  State

0050-ba50-74a2   1.1.2.126      1         Vlan-interface1    0               NOBIND

Table 10 Command output

Field

Description

MAC address

MAC address of the user.

IP address

IP address of the user.

VLAN ID

ID of the VLAN to which the user belongs.

Interface

Interface through which the user accesses the network.

Traffic(Bytes)

Traffic of the user, in bytes.

State

Status of the user:

·     DEFAULT—The user's traffic is below the free-traffic threshold and the user can access the network without authentication.

·     WAIT—The binding status between the user's MAC address and account is being queried.

·     NOBIND—The user's MAC address is not bound with the user's account.

·     BIND—The user's MAC address is bound with the user's account.

·     DISABLE—The MAC-trigger entry for the user is deleted on the device.

 

Related commands

portal apply mac-trigger-server

portal mac-trigger-server

display portal mac-trigger-server

Use display portal mac-trigger-server to display information about MAC binding servers.

Syntax

display portal mac-trigger-server { all | name server-name }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Specifies all MAC binding servers.

name server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Examples

# Display information about all MAC binding servers.

<Sysname> display portal mac-trigger-server all

Portal mac-trigger server name: ms1

  Version                    : 2.0

  Server type                : CMCC

  IP                         : 10.1.1.1

  Port                       : 100

  VPN instance               : Not configured

  Aging time                 : 120 seconds

  Free-traffic threshold     : 1000 bytes

  NAS-Port-Type              : 255

  Binding retry times        : 5

  Binding retry interval     : 2 seconds

  Authentication timeout     : 5 minutes

  Local-binding              : Disabled

  Local-binding aging time   : 12 minutes

  aaa-fail nobinding         : Disabled

  Excluded attribute list    : 1

  Cloud-binding              : Disabled

  Cloud server URL           : Not configured

Portal mac-trigger server name: mts

  Version                    : 1.0

  Server type                : IMC

  IP                         : 4.4.4.2

  Port                       : 50100

  VPN instance               : Not configured

  Aging time                 : 300 seconds

  Free-traffic threshold     : 0 bytes

  NAS-Port-Type              : Not configured

  Binding retry times        : 3

  Binding retry interval     : 1 seconds

  Authentication timeout     : 3 minutes

  Local-binding              : Disabled

  Local-binding aging-time   : 12 minutes

  aaa-fail nobinding         : Disabled

  Excluded attribute list    : 1

  Cloud-binding              : Disabled

  Cloud server URL           : Not configured

# Display information about MAC binding server ms1.

<Sysname> display portal mac-trigger-server name ms1

Portal mac-trigger server name: ms1

  Version                    : 2.0

  Server type                : CMCC

  IP                         : 10.1.1.1

  Port                       : 100

  VPN instance               : Not configured

  Aging time                 : 120 seconds

  Free-traffic threshold     : 1000 bytes

  NAS-Port-Type              : 255

  Binding retry times        : 5

  Binding retry interval     : 2 seconds

  Authentication timeout     : 5 minutes

  Local-binding              : Disabled

  Local-binding aging-time   : 12 minutes

  aaa-fail nobinding         : Disabled

  Excluded attribute list    : 1

  Cloud-binding              : Disabled

  Cloud server URL           : Not configured

Table 11 Command output

Field

Description

Portal mac-trigger server name

Name of the MAC binding server.

Version

Version of the portal protocol:

·     1.0—Version 1.

·     2.0—Version 2.

·     3.0—Version 3.

Server type

Type of the MAC binding server:

·     CMCC—CMCC server.

·     IMC—H3C IMC server or H3C CAMS server.

IP

IP address of the MAC binding server.

Port

UDP port number on which the MAC binding server listens for MAC binding query packets.

VPN instance

This field is not supported in the current software version.

MPLS L3VPN where the MAC binding server resides.

Aging time

Aging time in seconds. A MAC-trigger entry is aged out when the aging time expires.

Free-traffic threshold

Free-traffic threshold in bytes. If a user's traffic is below the threshold, the user can access the network without authentication.

NAS-Port-Type

NAS-Port-Type attribute value in RADIUS request packets sent to the RADIUS server.

Binding retry times

Maximum number of attempts for sending MAC binding queries to the MAC binding server.

Binding retry interval

Interval at which the device sends MAC binding queries to the MAC binding server.

Authentication timeout

Maximum amount of time that the device waits for portal authentication to complete after receiving the MAC binding query response.

Excluded attribute list

Numbers of attributes excluded from portal protocol packets.

 

Local-binding

Status of local MAC-trigger authentication:

·     Disabled.

·     Enabled.

Local-binding aging-time

Aging time for local MAC-account binding entries, in minutes.

Cloud-binding

Status of cloud MAC-trigger authentication:

·     Disabled.

·     Enabled.

Cloud server URL

URL of the cloud portal authentication server.

aaa-fail nobinding

Status of the AAA failure unbinding feature:

·     Disabled.

·     Enabled.

 

display portal packet statistics

Use display portal packet statistics to display packet statistics for portal authentication servers and MAC binding servers.

Syntax

display portal packet statistics [ extend-auth-server { cloud | facebook | mail | qq | wechat } | mac-trigger-server server-name | server server-name ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

extend-auth-server: Specifies a third-party authentication server.

cloud: Specifies the cloud authentication server.

facebook: Specifies the Facebook authentication server.

mail: Specifies the email authentication server.

qq: Specifies the QQ authentication server.

wechat: Specifies the WeChat authentication server.

mac-trigger-server server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify any parameters, this command displays packet statistics for all third-party authentication servers, portal authentication servers, and MAC binding servers.

Examples

# Display packet statistics for portal authentication server pts.

<Sysname> display portal packet statistics server pts

 Portal server :  pts

 Invalid packets: 0

 Pkt-Type                            Total    Drops    Errors

 REQ_CHALLENGE                       3        0        0

 ACK_CHALLENGE                       3        0        0

 REQ_AUTH                            3        0        0

 ACK_AUTH                            3        0        0

 REQ_LOGOUT                          1        0        0

 ACK_LOGOUT                          1        0        0

 AFF_ACK_AUTH                        3        0        0

 NTF_LOGOUT                          1        0        0

 REQ_INFO                            6        0        0

 ACK_INFO                            6        0        0

 NTF_USERDISCOVER                    0        0        0

 NTF_USERIPCHANGE                    0        0        0

 AFF_NTF_USERIPCHAN                  0        0        0

 ACK_NTF_LOGOUT                      1        0        0

 NTF_HEARTBEAT                       0        0        0

 NTF_USER_HEARTBEAT                  2        0        0

 ACK_NTF_USER_HEARTBEAT              0        0        0

 NTF_CHALLENGE                       0        0        0

 NTF_USER_NOTIFY                     0        0        0

 AFF_NTF_USER_NOTIFY                 0        0        0

# Display packet statistics for MAC binding server newpt.

<Sysname> display portal packet statistics mac-trigger-server newpt

 MAC-trigger server: newpt

 Invalid packets: 0

 Pkt-Type                            Total    Drops    Errors

 REQ_MACBIND                         1        0        0

 ACK_MACBIND                         1        0        0

 NTF_MTUSER_LOGON                    1        0        0

 NTF_MTUSER_LOGOUT                   0        0        0

 REQ_MTUSER_OFFLINE                  0        0        0

# Display packet statistics for the cloud authentication server.

<Sysname> display portal packet statistics extend-auth-server cloud

Extend-auth server:  cloud

 Update interval:  60

  Pkt-Type               Success    Error      Timeout    Conn-failure

  REQ_ACCESSTOKEN        1          0          0          0

  REQ_USERINFO           1          0          0          0

  RESP_ACCESSTOKEN       1          0          0          0

  RESP_USERINFO          1          0          0          0

  POST_ONLINEDATA        0          0          0          0

  RESP_ONLINEDATA        0          0          0          0

  POST_OFFLINEUSER       1          0          0          0

  REPORT_ONLINEUSER      1          0          0          0

  REQ_CLOUDBIND          1          0          0          0

  RESP_CLOUDBIND         1          0          0          0

  REQ_BINDUSERINFO       0          0          0          0

  RESP_BINDUSERINFO      0          0          0          0

  AUTHENTICATION         0          1          0          0

Table 12 Command output

Field

Description

Portal server

Name of the portal authentication server.

Invalid packets

Number of invalid packets.

Pkt-Type

Packet type.

Total

Total number of packets.

Drops

Number of dropped packets.

Errors

Number of packets that carry error information.

REQ_CHALLENGE

Challenge request packet the portal authentication server sent to the access device.

ACK_CHALLENGE

Challenge acknowledgment packet the access device sent to the portal authentication server.

REQ_AUTH

Authentication request packet the portal authentication server sent to the access device.

ACK_AUTH

Authentication acknowledgment packet the access device sent to the portal authentication server.

REQ_LOGOUT

Logout request packet the portal authentication server sent to the access device.

ACK_LOGOUT

Logout acknowledgment packet the access device sent to the portal authentication server.

AFF_ACK_AUTH

Affirmation packet the portal authentication server sent to the access device after receiving an authentication acknowledgment packet.

NTF_LOGOUT

Forced logout notification packet the access device sent to the portal authentication server.

REQ_INFO

Information request packet.

ACK_INFO

Information acknowledgment packet.

NTF_USERDISCOVER

User discovery notification packet the portal authentication server sent to the access device.

NTF_USERIPCHANGE

User IP change notification packet the access device sent to the portal authentication server.

AFF_NTF_USERIPCHAN

User IP change success notification packet the portal authentication server sent to the access device.

ACK_NTF_LOGOUT

Forced logout acknowledgment packet the portal authentication server sent to the access device.

NTF_HEARTBEAT

Server heartbeat packet the portal authentication server periodically sent to the access device.

NTF_USER_HEARTBEAT

User synchronization packet the portal authentication server sent to the access device.

ACK_NTF_USER_HEARTBEAT

User synchronization acknowledgment packet the access device sent to the portal authentication server.

NTF_CHALLENGE

Challenge request packet the access device sent to the portal authentication server.

NTF_USER_NOTIFY

User information notification packet the access device sent to the portal authentication server.

AFF_NTF_USER_NOTIFY

NTF_USER_NOTIFY acknowledgment packet the portal authentication server sent to the access device.

MAC-trigger server

Name of the MAC binding server.

REQ MACBIND

MAC binding request packet the access device sent to the MAC binding server.

ACK_MACBIND

MAC binding acknowledgment packet the MAC binding server sent to the access device.

NTF_MTUSER_LOGON

User logon notification packet the access device sent to the MAC binding server.

NTF_MTUSER_LOGOUT

User logout notification packet the access device sent to the MAC binding server.

REQ_MTUSER_OFFLINE

Forced offline request packet the MAC binding server sent to the access device.

Extend-auth server

Type of the third-party authentication server:

·     qq—QQ authentication server.

·     mail—Email authentication server.

·     wechat—WeChat authentication server.

·     cloud—Cloud authentication server.

·     facebook—Facebook authentication server.

Update interval

Interval at which the device sends online user information to the third-party authentication server, in seconds.

This field is displayed only if the type of the third-party authentication server is cloud.

Success

Number of packets that have been successfully sent or received.

Timeout

Number of packets that timed out of establishing a connection to the third-party authentication server.

Conn-failure

Number of packets that failed to establish a connection to the third-party authentication server.

Deny

Number of packets denied access to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is mail.

REQ_ACCESSTOKEN

Access token request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is qq, facebook, cloud or wechat.

REQ_OPENID

Open ID request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is qq.

REQ_USERINFO

User information request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is the qq, facebook, cloud or wechat.

RESP_ACCESSTOKEN

Access token response packet the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is qq, facebook, cloud or wechat.

RESP_OPNEID

Open ID response packet the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is qq.

RESP_USERINFO

User information response packet the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is qq, facebook, cloud or wechat.

REQ_POP3

POP3 authentication request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is mail.

REQ_IMAP

IMAP authentication request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is mail.

POST_ONLINEDATA

Cloud user information request packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

RESP_ONLINEDATA

Cloud user information response packet the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

POST_OFFLINEUSER

Cloud user offline packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud or wechat.

REPORT_ONLINEUSER

Cloud user online packet the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud or wechat.

REQ_CLOUDBIND

Cloud user binding status query request that the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

RESP_CLOUDBIND

Cloud user binding status query response that the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

REQ_BINDUSERINFO

Cloud user information request packet that the access device sent to the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

RESP_BINDUSERINFO

Cloud user information response packet that the access device received from the third-party authentication server.

This field is displayed only if the type of the third-party authentication server is cloud.

AUTHENTICATION

Result of third-party authentication.

 

Related commands

reset portal packet statistics

display portal permit-rule statistics

Use display portal permit-rule statistics to display statistics for portal permit rules.

Syntax

display portal permit-rule statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

Portal permit rules refer to category 1 and category 2 portal filtering rules, which permit user packets to pass.

Examples

# Display statistics for portal permit rules.

<Sysname> display portal permit-rule statistics

Interface             Free rules           Fuzzy rules            User rules

Vlan-interface30      2                    5                      10

Vlan-interface30      2                    3                      6

Table 13 Command output

Field

Description

Interface

Interface on which portal permit rules are used.

Free rules

Number of permit rules generated based on configured portal-free rules, excluding permit rules generated based on fuzzy matches of destination-based portal-free rules.

Fuzzy rules

Number of permit rules generated based on fuzzy matches of destination-based portal-free rules.

User rules

Number of permit rules generated after portal users pass authentication.

 

display portal redirect session

Use display portal redirect session to display redirect session statistics for online portal users.

Syntax

display portal redirect session [ ip ipv4-address | ipv6 ipv6-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ipv4-address: Specifies a portal user by its IPv4 address.

ipv6 ipv6-address: Specifies a portal user by its IPv6 address.

Usage guidelines

If you do not specify an IPv4 or IPv6 portal user, this command displays redirect session statistics for all online portal users.

Examples

# Display redirect session statistics for all online portal users.

<Sysname> display portal redirect session

Total HTTP sessions: 40

Total HTTP rejected: 18

Total HTTPS sessions: 40

Total HTTPS rejected: 80

IP: 192.168.0.1

  HTTP sessions: 20

  HTTP rejected: 10

  HTTPS sessions: 20

  HTTPS rejected: 40

IP: 192.168.0.2

  HTTP sessions: 20

  HTTP rejected: 8

  HTTPS sessions: 20

  HTTPS rejected: 40

# Display redirect session statistics for online portal user at 192.168.0.2.

<Sysname> display portal redirect session ip 192.168.0.2

IP: 192.168.0.2

  HTTP sessions: 128

  HTTP rejected: 10

  HTTPS sessions: 0

  HTTPS rejected: 0

Table 14 Command output

Field

Description

Total HTTP sessions

Total number of HTTP redirect sessions.

Total HTTP rejected

Total number of discarded HTTP redirect session requests.

Total HTTPS sessions

Total number of HTTPS redirect sessions.

Total HTTPS rejected

Total number of discarded HTTPS redirect session requests.

IP

IP address of the online portal user.

HTTP sessions

Number of HTTP redirect sessions for the user.

HTTP rejected

Number of discarded HTTP redirect session requests for the user.

HTTPS sessions

Number of HTTPS redirect sessions for the user.

HTTPS rejected

Number of discarded HTTPS redirect session requests for the user.

 

Related commands

portal redirect max-session

portal redirect max-session per-user

display portal redirect session-record

Use display portal redirect session-record to display history records about portal redirect sessions.

Syntax

display portal redirect session-record [ start-time start-date start-time ] [ end-time end-date end-time ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

start-time start-date start-time: Specifies the start time of a time range. The start date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time must be in the format of hh:mm. The value range for the start time is 00:00 to 23:59. If you do not specify a start time, the time range starts when portal authentication was enabled.

end-time end-date end-time: Specifies the end time of a time range. The end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The end time must be in the format of hh:mm. The value range for the end time is 00:00 to 23:59. If you do not specify an end time, the time range ends with the current time.

Usage guidelines

The device records statistics about portal redirect sessions on a per minute basis since portal authentication is enabled. The device only keeps records generated within the most recent 24 hours. Twenty-four hours later, a new record will override the oldest record.

Examples

# Display history records about portal redirect sessions in the time range from 2019/3/20 14:40 to now.

<Sysname> display portal redirect session-record start-time 2019/3/20 14:40

 

Time               HTTP sessions  HTTP rejected  HTTPS sessions  HTTPS rejected

2019/03/20 14:40   1              0              21              1

2019/03/20 14:41   2              0              21              1

2019/03/20 14:42   13             1              31              1

2019/03/20 14:43   14             1              0               0

Table 15 Command output

Field

Description

Time

Time when the record was generated.

HTTP sessions

Number of HTTP redirect sessions for all portal users.

HTTP rejected

Number of discarded HTTP redirect session requests for all portal users.

HTTPS sessions

Number of HTTPS redirect sessions for all portal users.

HTTPS rejected

Number of discarded HTTPS redirect session requests for all portal users.

 

Related commands

reset portal redirect session-record

display portal redirect session-statistics

Use display portal redirect session-statistics to display summary statistics about portal redirect sessions.

Syntax

display portal redirect session-statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

Examples

# Display summary statistics about portal redirect sessions.

<Sysname> display portal redirect session-statistics

  HTTP sessions  HTTP rejected  HTTPS sessions  HTTPS rejected

  30             2              73              3

Table 16 Command output

Field

Description

HTTP sessions

Number of HTTP redirect sessions for all portal users.

HTTP rejected

Number of rejected HTTP redirect session requests for all portal users.

HTTPS sessions

Number of HTTPS redirect sessions for all portal users.

HTTPS rejected

Number of rejected HTTPS redirect session requests for all portal users.

 

Related commands

reset portal redirect session-statistics

display portal redirect statistics

Use display portal redirect statistics to display portal redirect packet statistics.

Syntax

display portal redirect statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display portal redirect packet statistics.

<Sysname> display portal redirect statistics

 HTTP requests  HTTP responses  HTTPS requests  HTTPS responses

 1              1               1               1

Table 17 Command output

Field

Description

HTTP requests

Total number of HTTP redirect requests.

HTTP responses

Total number of HTTP redirect responses.

HTTPS requests

Total number of HTTPS redirect requests.

HTTPS responses

Total number of HTTPS redirect responses.

 

Related commands

reset portal redirect statistics

display portal rule

Use display portal rule to display portal filtering rules.

Syntax

display portal rule { all | dynamic | static } { ap ap-name [ radio radio-id ] | interface interface-type interface-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays all portal filtering rules, including dynamic and static portal filtering rules.

dynamic: Displays dynamic portal filtering rules, which are generated after users pass portal authentication. These rules allow packets with specific source IP addresses to pass the interface.

static: Displays static portal filtering rules, which are generated after portal authentication is enabled. The interface filters packets by these rules when portal authentication is enabled.

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays portal filtering rules for all radios of the AP.

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display all portal filtering rules on AP fatap.

<Sysname> display portal rule all ap fatap

IPv4 portal rules on fatap

Radio ID : 1

SSID     : portal

Rule 1:

 Type                : Static

 Action              : Forbid

 Protocol            : Any

 Status              : Active

 Source:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : Any

    SSID           : portal

    Interface      : WLAN-BSS1/0/1

Destination:

    IP             : 0.0.0.0

    Mask           : 0.0.0.0

    Port           : Any

 

Rule 2:

 Type                : Static

 Action              : Permit

 Protocol            : Any

 Status              : Active

 Source:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Port      : 23

    MAC       : 0000-0000-0000

    Interface : WLAN-BSS1/0/1

    VLAN      : any

 Destination:

    IP        : 192.168.0.111

    Mask      : 255.255.255.255

    Port      : Any

 

Rule 3:

 Type                : Dynamic

 Action              : Permit

 Status              : Active

 Source:

    IP        : 2.2.2.2

    MAC       : 000d-88f8-0eab

    Interface : WLAN-BSS1/0/1

    VLAN      : 2

 Author ACL:

    Number    : N/A

 Author Web URL    : http://1.1.1.1

 

Rule 4:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Interface : WLAN-BSS1/0/1

    VLAN      : any

    Protocol  : TCP

 Destination:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Port      : 80

 

Rule 5:

 Type                : Static

 Action              : Deny

 Status              : Active

 Source:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

    Interface : WLAN-BSS1/0/1

    VLAN      : Any

 Destination:

    IP        : 0.0.0.0

    Mask      : 0.0.0.0

Table 18 Command output

Field

Description

Radio ID

ID of the radio.

SSID

Service set identifier.

Rule

Number of the portal rule. IPv4 portal filtering rules and IPv6 portal filtering rules are numbered separately.

Type

Type of the portal filtering rule:

·     Static—Static portal rule.

·     Dynamic—Dynamic portal rule.

Action

Action triggered by the portal filtering rule:

·     Permit—The interface allows packets to pass.

·     Forbid—The interface forbids packets to pass.

·     Redirect—The interface redirects packets.

·     Deny—The interface denies packets.

·     Match pre-auth ACL—The interface matches packets against the authorized ACL rules in the preauthentication domain.  

Protocol

Transport layer protocol permitted by the portal filtering rule:

·     Any—Permits any transport layer protocol.

·     TCP—Permits TCP.

·     UDP—Permits UDP.

Status

Status of the portal filtering rule:

·     Active—The portal rule is effective.

·     Unactuated—The portal rule is not activated.

Source

Source information of the portal filtering rule.

IP

Source IPv4 or IPv6 address.

If the IPv6 address of a portal user changes after the user has come online, this field displays colons (::). This value indicates that no IP address is specified in the portal filtering rule.

Mask

Subnet mask of the source IPv4 address.

Prefix length

Prefix length of the source IPv6 address.

Port

Source transport layer port number.

MAC

Source MAC address.

SSID

Source SSID.

This field is displayed only if an SSID is specified in the portal-forbidden rule configured by using the portal forbidden-rule command.

Interface

Layer 2 or Layer 3 interface on which the portal rule is implemented.

VLAN

Source VLAN ID.

Protocol

Transport layer protocol of the portal redirect rule. This field always displays TCP.

Destination

Destination information of the portal filtering rule.

IP

Destination IP address.

Port

Destination transport layer port number.

Mask

Subnet mask of the destination IPv4 address.

Prefix length

Prefix length of the destination IPv6 address.

Author ACL

Authorized ACL assigned to authenticated portal users. This field is displayed only for a dynamic portal filtering rule.

Pre-auth ACL

Authorized ACL assigned to preauthentication portal users. This field is displayed only for the Match pre-auth ACL action.

Number

Number of the authorized ACL. This field displays N/A if the AAA server does not assign an ACL.

Author Web URL

Authorized Web URL assigned to authenticated portal users. This field is displayed only for a dynamic portal filtering rule.

 

display portal safe-redirect statistics

Use display portal safe-redirect statistics to display portal safe-redirect packet statistics.

Syntax

display portal safe-redirect statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display portal safe-redirect packet statistics.

<Sysname> display portal safe-redirect statistics

Redirect statistics:

  Success: 5

  Failure: 6

  Total: 11

 

Method statistics:

  Get: 6

  Post: 2

  Others: 3

 

Default-action statistics:

  Permit: 1

  Forbid: 0

 

User agent statistics:

  Safari: 3

  Chrome: 2

 

Forbidden User URL statistics:

  http://www.abc.com: 0

 

Forbidden filename extension statistics:

.jpg: 0

Table 19 Command output

Field

Description

Success

Number of packets redirected successfully.

Failure

Number of packets failed redirection.

Total

Total number of packets.

Method statistics

Statistics of HTTP request methods.

Get

Number of packets with the GET request method.

Post

Number of packets with the POST request method.

Other

Number of packets with other request methods.

User agent statistics

Browser types (in HTTP User Agent) allowed by portal safe-redirect, and packet statistics for the browsers.

Forbidden URL statistics

URLs forbidden by portal safe-redirect, and statistics for packets dropped by forbidden URL filtering.

Forbidden filename extension statistics

Filename extensions forbidden by portal safe-redirect, and statistics for packets dropped by forbidden filename extension filtering.

Permit user URL statistics

URLs permitted by portal safe-redirect, and packet statistics for the URLs.

Default-action statistics

Statistics on packets processed by the default actions of portal safe-redirect.

 

Related commands

reset portal safe-redirect statistics

display portal server

Use display portal server to display information about portal authentication servers.

Syntax

display portal server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify the server-name argument, this command displays information about all portal authentication servers.

Examples

# Display information about portal authentication server pts.

<Sysname> display portal server pts

Portal server: pts

  Type                  : IMC

  IP                    : 192.168.0.111

  VPN instance          : Not configured

  Port                  : 50100

  Server detection      : Timeout 60s  Action: log, trap

  User synchronization  : Timeout 200s

  Status                : Up

  Exclude-attribute     : Not configured

  Logout notification   : Retry 3 interval 5s

Table 20 Command output

Field

Description

Type

Portal authentication server type:

·     CMCC—CMCC server.

·     IMC—IMC server.

Portal server

Name of the portal authentication server.

IP

IP address of the portal authentication server.

VPN instance

This field is not supported in the current software version.

MPLS L3VPN where the portal authentication server resides.

Port

Listening port on the portal authentication server.

Server detection

Parameters for portal authentication server detection:

·     Detection timeout in seconds.

·     Actions (log and trap) triggered by the reachability status change of the portal authentication server.

User synchronization

User idle timeout in seconds for portal user synchronization.

Status

Reachability status of the portal authentication server:

·     Up—This value indicates one of the following conditions:

¡     Portal authentication server detection is disabled.

¡     Portal authentication server detection is enabled and the server is reachable.

·     Down—Portal authentication server detection is enabled and the server is unreachable.

Exclude-attribute

Attributes that are not carried in portal protocol packets sent to the portal authentication server.

Logout-notification

Maximum number of times and the interval (in seconds) for retransmitting a logout notification packet.

 

Related commands

portal enable

portal server

server-detect (portal authentication server view)

user-sync

display portal user

Use display portal user to display information about portal users.

Syntax

display portal user { all | ap ap-name [ radio radio-id ] | auth-type { cloud | email | facebook | local | mac-trigger | normal | qq | wechat } | interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address | mac mac-address | pre-auth [ interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address ] | username username } [ brief | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays information about all portal users.

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays information about portal users for all radios of the AP.

auth-type: Specifies an authentication type.

cloud: Specifies the cloud authentication (a cloud portal authentication server performs portal authentication on portal users).

email: Specifies the email authentication.

facebook: Specifies the Facebook authentication.

local: Specifies the local authentication (a local portal authentication server performs portal authentication on portal users).

mac-trigger: Specifies the MAC-trigger authentication.

normal: Specifies the normal authentication (a remote portal authentication server performs portal authentication on portal users).

qq: Specifies QQ authentication.

wechat: Specifies WeChat authentication.

interface interface-type interface-number: Displays information about portal users on the specified interface.

ip ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

mac mac-address: Specifies the MAC address of a portal user, in the format of H-H-H.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

pre-auth: Displays information about preauthentication portal users. A preauthentication user is a user who is authorized with the authorization attributes in a preauthentication domain before portal authentication. If you do not specify the pre-auth keyword, this command displays information about authenticated portal users.

brief: Displays brief information about portal users.

verbose: Displays detailed information about portal users.

Usage guidelines

If you specify neither the brief nor the verbose keyword, this command displays portal authentication-related information for portal users.

Examples

# Display information about all portal users.

<Sysname> display portal user all

Total portal users: 1

Username: def

  AP name: ap1

  Radio ID: 1

  SSID: portal

  Portal server: pts

  State: Online

  VPN instance: vpn1

  MAC                IP                 VLAN   Interface

  000d-88f8-0eac     4.4.4.4            2      Bss1/2

  Authorization information:

    DHCP IP pool: N/A

    User profile: N/A

    ACL number/name: 3000 (active, AAA)

    Inbound CAR: CIR 9000       bps PIR 20500      bps

                 CBS 20500      bit (active, AAA)

    Outbound CAR: CIR 9000       bps PIR 20400      bps

                  CBS 20400      bit (active, AAA)

    Web URL: http://1.1.1.1

# Display information about portal users whose authentication type is normal authentication.

<Sysname> display portal user auth-type normal

Total remote users: 1

Username: abc

  Portal server: pts

  State: Online

  VPN instance: N/A

  MAC                IP                 VLAN   Interface

  000d-88f8-0eab     2.2.2.2            2      WLAN-BSS1/0/1

  Authorization information:

    DHCP IP pool: N/A

    User profile: abc (active, OAuth)

    ACL number/name: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

    Web URL: http://1.1.1.1

# Display information about the portal user whose MAC address is 000d-88f8-0eab.

<Sysname> display portal user mac 000d-88f8-0eab

Username: abc

  Portal server: pts

  State: Online

  VPN instance: N/A

  MAC                IP                 VLAN   Interface

  000d-88f8-0eab     2.2.2.2            2      WLAN-BSS1/0/1

  Authorization information:

    DHCP IP pool: N/A

    User profile: abc (active, OAuth)

    ACL number/name: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

    Web URL: http://1.1.1.1

# Display information about the portal user whose username is abc.

<Sysname> display portal user username abc

Username: abc

  Portal server: pts

  State: Online

  VPN instance: N/A

  MAC                IP                 VLAN   Interface

  000d-88f8-0eab     2.2.2.2            2      WLAN-BSS1/0/1

  Authorization information:

    DHCP IP pool: N/A

    User profile: abc (active, OAuth)

    ACL number/name: N/A

    Inbound CAR: N/A

    Outbound CAR: N/A

    Web URL: http://1.1.1.1

Table 21 Command output

Field

Description

Total portal users

Total number of portal users.

Total normal users

Total number of portal users whose authentication type is normal authentication.

Total local users

Total number of portal users whose authentication type is local authentication.

Total email users

Total number of portal users whose authentication type is email authentication.

Total cloud users

Total number of portal users whose authentication type is cloud authentication.

Total QQ users

Total number of portal users whose authentication type is QQ authentication.

Total WeChat users

Total number of portal users whose authentication type is WeChat authentication.

Total facebook users

Total number of portal users whose authentication type is Facebook authentication.

Total MAC-trigger users

Total number of portal users whose authentication type is MAC-trigger authentication.

Username

Name of the user.

Portal server

Name of the portal authentication server.

State

Current state of the portal user:

·     Initialized—The user is initialized and ready for authentication.

·     Authenticating—The user is being authenticated.

·     Waiting SetRule—Deploying portal rules to the user.

·     Authorizing—The user is being authorized.

·     Online—The user is online.

·     Waiting Traffic—Waiting for traffic from the user.

·     Stop Accounting—Stopping accounting for the user.

·     Done—The user is offline.

VPN instance

This field is not supported in the current software version.

MPLS L3VPN the portal user belongs to. If the portal user is on a public network, this field displays N/A.

MAC

MAC address of the portal user.

IP

IP address of the portal user.

VLAN

VLAN where the portal user resides.

Interface

Access interface of the portal user.

Authorization information

Authorization information for the portal user.

DHCP IP pool

Name of the authorized IP address pool. If no IP address pool is authorized for the portal user, this field displays N/A.

User profile

Authorized user profile:

·     N/A—No user profile is authorized.

·     active, AAA—The AAA server has authorized the user profile successfully.

·     inactive, AAA—The AAA server failed to authorize the user profile or the user profile does not exist on the device.

·     active, OAuth—The OAuth server has authorized the user profile successfully.

·     inactive, OAuth—The OAuth server failed to authorize the user profile.

ACL number/name

Number or name of the authorized ACL:

·     N/A—No ACL is authorized.

·     active, AAA—The AAA server has authorized the ACL successfully.

·     inactive, AAA—The AAA server failed to authorize the ACL or the ACL does not exist on the device.

·     active, OAuth—The OAuth server has authorized the ACL successfully.

·     inactive, OAuth—The OAuth server failed to authorize the ACL.

Inbound CAR

Authorized inbound CAR information:

·     N/A—No inbound CAR is authorized.

·     CIR—Committed information rate in bps.

·     PIR—Peak information rate in bps.

·     CBS—Committed burst size in bits.

·     active, AAA—The AAA server has authorized the inbound CAR successfully.

·     inactive, AAA—The AAA server failed to authorize the inbound CAR.

·     active, OAuth—The OAuth server has authorized the inbound CAR successfully.

·     inactive, OAuth—The OAuth server failed to authorize the inbound CAR.

Outbound CAR

Authorized outbound CAR information:

·     N/A—No outbound CAR is authorized.

·     CIR—Committed information rate in bps.

·     PIR—Peak information rate in bps.

·     CBS—Committed burst size in bits.

·     active, AAA—The AAA server has authorized the outbound CAR successfully.

·     inactive, AAA—The AAA server failed to authorize the outbound CAR.

·     active, OAuth—The OAuth server has authorized the outbound CAR successfully.

·     inactive, OAuth—The OAuth server failed to authorize the outbound CAR.

Web URL

Authorized Web URL. This field displays N/A if no Web URL is authorized.

 

# Display detailed information about the portal user whose IP address is 18.18.0.20.

<Sysname> display portal user ip 18.18.0.20 verbose

Basic:

AP name: ap1

  Radio ID: 1

  SSID: portal

  Current IP address: 18.18.0.20

  Original IP address: 18.18.0.20

  Username: chap1

  User ID: 0x10000001

  Access interface: WLAN_BSS1/0/1

  Service-VLAN/Customer-VLAN: 50/-

  MAC address: 7854-2e1c-c59e

  Authentication type: Normal

  Domain name: portal

  VPN instance: N/A

  Status: Online

  Portal server: pt

  Vendor: Apple

  Portal authentication method: Direct

AAA:

  Realtime accounting interval: 720s, retry times: 5

  Idle cut: N/A

  Session duration: 0 sec, remaining: 0 sec

  Remaining traffic: N/A

  Online duration (hh:mm:ss): 1:53:7

  Login time: 2014-12-25 10:47:53 UTC

  DHCP IP pool: N/A

  Web URL: http://1.1.1.1

ACL&QoS&Multicast:

  Inbound CAR: N/A

  Outbound CAR: N/A

  ACL number/name: N/A

  User profile: N/A

  Session group profile: N/A

  Max multicast addresses: 4

Traffic statistic:

  Uplink packets/bytes: 6/412

  Downlink packets/bytes: 0/0

Dual-stack traffic statistics:

  IPv4 address: 18.18.0.20

            Uplink   packets/bytes: 3/200

            Downlink packets/bytes: 0/0

  IPv6 address: 2001::2

            Uplink   packets/bytes: 3/212

            Downlink packets/bytes: 0/0

Accounting-separate traffic statistics:

  18.18.0.20:

            Uplink   packets/bytes: 3/200

            Downlink packets/bytes: 0/0

  2001::2:

            Uplink   packets/bytes: 3/200

            Downlink packets/bytes: 0/0

  2001::3:

            Uplink   packets/bytes: 4/300

            Downlink packets/bytes: 0/0

  2001::4:

            Uplink   packets/bytes: 4/300

            Downlink packets/bytes: 0/0

Table 22 Command output

Field

Description

Current IP address

IP address of the portal user after passing authentication.

Original IP address

IP address of the portal user during authentication.

Username

Name of the portal user.

User ID

Portal user ID.

Access interface

Access interface of the portal user.

Service-VLAN/Customer-VLAN

Public VLAN/Private VLAN to which the portal user belongs. If no VLAN is configured for the portal user, this field displays -/-.

MAC address

MAC address of the portal user.

Authentication type

Type of portal authentication:

·     Normal—Normal authentication.

·     Local—Local authentication.

·     Email—Email authentication.

·     Cloud—Cloud authentication.

·     QQ—QQ authentication.

·     WeChat—WeChat authentication.

·     Facebook—Facebook authentication.

·     MAC-trigger—MAC-trigger authentication.

Domain

ISP domain name for portal authentication.

VPN instance

This field is not supported in the current software version.

MPLS L3VPN to which the portal user belongs. If the portal user is on a public network, this field displays N/A.

Status

Status of the portal user:

·     Authenticating—The user is being authenticated.

·     Authorizing—The user is being authorized.

·     Waiting SetRule—Deploying portal rules to the user.

·     Online—The user is online.

·     Waiting Traffic—Waiting for traffic from the user.

·     Stop Accounting—Stopping accounting for the user.

·     Done—The user is offline.

Portal server

Name of the portal server.

Vendor

Vendor name of the endpoint.

Portal authentication method

Portal authentication method on the access interface:

·     Direct—Direct authentication.

·     Re-Dhcp—Re-DHCP authentication.

·     Layer3—Cross-subnet authentication.

AAA

AAA information about the portal user.

Realtime accounting interval

Interval for sending real-time accounting updates, and the maximum number of accounting attempts. If the real-time accounting is not authorized, this field displays N/A.

Idle-cut

Idle timeout period and the minimum traffic threshold. If idle-cut is not authorized, this field displays N/A.

Session duration

Session duration and the remaining session time. If the session duration is not authorized, this field displays N/A.

Remaining traffic

Remaining traffic for the portal user. If the remaining traffic is not authorized, this field displays N/A.

Login time

Time when the user logged in. The field uses the device time format, for example, 2023-1-19  2:42:30 UTC.

DHCP IP pool

Authorized DHCP IP address pool. If no DHCP IP address pool is authorized for the portal user, this field displays N/A.

Web URL

Authorized Web URL. If no Web URL is authorized for the portal user, this field displays N/A.

Inbound CAR

Authorized inbound CAR information:

·     N/A—No inbound CAR is authorized.

·     CIR—Committed information rate in bps.

·     PIR—Peak information rate in bps.

·     CBS—Committed burst size in bits.

·     active, AAA—The AAA server has authorized the inbound CAR successfully.

·     inactive, AAA—The AAA server failed to authorize the inbound CAR.

·     active, OAuth—The OAuth server has authorized the inbound CAR successfully.

·     inactive, OAuth—The OAuth server failed to authorize the inbound CAR.

Outbound CAR

Authorized outbound CAR information:

·     N/A—No outbound CAR is authorized.

·     CIR—Committed information rate in bps.

·     PIR—Peak information rate in bps.

·     CBS—Committed burst size in bits.

·     active, AAA—The AAA server has authorized the outbound CAR successfully.

·     inactive, AAA—The AAA server failed to authorize the outbound CAR.

·     active, OAuth—The OAuth server has authorized the outbound CAR successfully.

·     inactive, OAuth—The OAuth server failed to authorize the outbound CAR.

ACL number/name

Number or name of the authorized ACL:

·     N/A—No ACL is authorized..

·     active, AAA—The AAA server has authorized the ACL successfully.

·     inactive, AAA—The AAA server failed to authorize the ACL or the ACL does not exist on the device.

·     active, OAuth—The OAuth server has authorized the ACL successfully.

·     inactive, OAuth—The OAuth server failed to authorize the ACL.

User profile

Authorized user profile:

·     N/A—No user profile is authorized.

·     active, AAA—The AAA server has authorized the user profile successfully.

·     inactive, AAA—The AAA server failed to authorize the user profile or the user profile does not exist on the device.

·     active, OAuth—The OAuth server has authorized the user profile successfully.

·     inactive, OAuth—The OAuth server failed to authorize the user profile.

Max multicast addresses

Maximum number of multicast groups the portal user can join.

Multicast address list

Multicast group list the portal user can join. If no multicast group is authorized, this field displays N/A.

Traffic statistic

Traffic statistics for the portal user.

Uplink packets/bytes

Packet and byte statistics of the upstream traffic.

Downlink packets/bytes

Packet and byte statistics of the downstream traffic.

Dual-stack traffic statistic

IPv4 and IPv6 traffic statistics for the dual-stack user.

Accounting-separate traffic statistics

Traffic statistics of dual-statck users or users with multiple IPv6 addresses.

IPv4 address

IPv4 address of the portal user.

IPv6 address

IPv6 address of the portal user.

Uplink packets/bytes

Packet and byte statistics of the upstream traffic.

Downlink packets/bytes

Packet and byte statistics of the downstream traffic.

 

# Display brief information about all portal users.

<Sysname> display portal user all brief

IP address       MAC address       Online duration       Username

4.4.4.4          000d-88f8-0eac    1:53:7                def

Table 23 Command output

Field

Description

IP address

IP address of the portal user.

MAC address

MAC address of the portal user.

Online duration

Online duration of the portal user, in hh:ss:mm.

Username

Username of the portal user.

 

Related commands

portal enable

display portal user count

Use display portal user count to display the number of portal users.

Syntax

display portal user count

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the number of portal users.

<Sysname> display portal user count

Total number of users: 1

Related commands

portal enable

portal delete-user

display portal user dhcp-lease

Use display portal user dhcp-lease to display DHCP lease information for IPv4 portal users.

Syntax

display portal user dhcp-lease [ ipv4 ipv4-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4 ipv4-address: Specify an IPv4 portal user by its IPv4 address. If you do not specify an IPv4 portal user, this command displays DHCP lease information about all IPv4 portal users.

Usage guidelines

Use this command only when DHCP packet capture is enabled to detect online status of portal users. To enable the DHCP packet capture feature, use the portal idle-cut dhcp-capture enable command.

Examples

# Display DHCP lease information for all IPv4 portal users.

<Sysname> display portal user dhcp-lease

Total DHCP lease entries: 2

IPv4 address      MAC address           Lease time          Remaining time

1.1.1.1           AABB-CCDD-1122        02h 00m 00s         01h 10m 46s

1.1.1.2           AABB-CCDD-1133        01h 00m 00s         00h 08m 46s

 

# Display DHCP lease information for an IPv4 portal user.

<Sysname> display portal user dhcp-lease ip 1.1.1.1

IPv4 address      MAC address           Lease time          Remaining time

1.1.1.1           AABB-CCDD-1122        02h 00m 00s         01h 10m 46s

Table 24 Command output

Field

Description

Total DHCP lease entries

Total number of DHCP lease entries of IPv4 portal users.

IPv4 address

IPv4 address of an IPv4 portal user.

MAC

MAC address of the IPv4 portal user.

Lease time

Lease time period for the IPv4 address.

·     If the time period is less than one day, this field is displayed in the xxh xxm xxs format.

·     If the time period is less than one week, this field is displayed in the xd xxh format.

·     If the time period is greater than one week, this field is displayed in the xw xd xxh format.

The w, d, h, m, and s represent weeks, days, hours, minutes, and seconds, respectively.

Remaining time

Remaining lease time period for the IPv4 address.

·     If the time period is less than one day, this field is displayed in the xxh xxm xxs format.

·     If the time period is less than one week, this field is displayed in the xd xxh format.

·     If the time period is greater than one week, this field is displayed in the xw xd xxh format.

The w, d, h, m, and s represent weeks, days, hours, minutes, and seconds, respectively.

 

Related commands

portal idle-cut dhcp-capture enable

display portal user dhcpv6-lease

display portal user dhcpv6-lease to display DHCPv6 lease information for IPv6 portal users.

Syntax

display portal user dhcpv6-lease [ ipv6 ipv6-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6 ipv6-address: Specify an IPv6 portal user by its IPv6 address. If you do not specify an IPv6 portal user, this command displays DHCPv6 lease information about all IPv6 portal users.

Usage guidelines

Use this command only when DHCP packet capture is enabled to detect online status of portal users. To enable the DHCP packet capture feature, use the portal idle-cut dhcp-capture enable command.

Examples

# Display DHCPv6 lease information for all IPv6 portal users.

<Sysname> display portal user dhcpv6-lease

Total DHCPv6 lease entries: 2

IPv6 address            MAC address       Lease time     Remaining time

2000::1                 AABB-CCDD-1144    02h 00m 00s    01h 10m 46s

2000::2                 AABB-CCDD-1155    01h 00m 00s    00h 08m 46s

# Display DHCPv6 lease information for an IPv6 portal user.

<Sysname> display portal user dhcpv6-lease ipv6 2000::1

IPv6 address            MAC address       Lease time     Remaining time

2000::1                 AABB-CCDD-1144    02h 00m 00s    01h 10m 46s

Table 25 Command output

Field

Description

Total DHCP lease entries

Total number of DHCPv6 lease entries of IPv6 portal users.

IPv4 address

IPv4 address of an IPv6 portal user.

MAC

MAC address of the IPv6 portal user.

Lease time

Lease time period for the IPv4 address.

·     If the time period is less than one day, this field is displayed in the xxh xxm xxs format.

·     If the time period is less than one week, this field is displayed in the xd xxh format.

·     If the time period is greater than one week, this field is displayed in the xw xd xxh format.

The w, d, h, m, and s represent weeks, days, hours, minutes, and seconds, respectively.

Remaining time

Remaining lease time period for the IPv4 address.

·     If the time period is less than one day, this field is displayed in the xxh xxm xxs format.

·     If the time period is less than one week, this field is displayed in the xd xxh format.

·     If the time period is greater than one week, this field is displayed in the xw xd xxh format.

The w, d, h, m, and s represent weeks, days, hours, minutes, and seconds, respectively.

 

Related commands

portal idle-cut dhcp-capture enable

display portal web-server

Use display portal web-server to display information about portal Web servers.

Syntax

display portal web-server [ server-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters. If you do not specify a portal Web server, this command displays information about all portal Web servers.

Examples

# Display information about portal Web server wbs.

<Sysname> display portal web-server wbs

Portal Web server: wbs

    Type IMC

    URL: http://www.test.com/portal

    URL parameters: userurl=http://www.test.com/welcome

                    userip=source-address

    VPN instance: Not configured

    Server detection:

      Interval: 120s

      Attempts: 5

      Action: log, trap

      Detection URL: http://www.test.com/portal

      Detection type: TCP

    IPv4 status: Up

    IPv6 status: Up

    Captive-bypass: Disabled

    If-match: original-url:  http://2.2.2.2, redirect-url:  http://192.168.56.2

              original-url:   http://1.1.1.1, temp-pass redirect-url:

              http://192.168.1.1

Table 26 Command output

Field

Description

Type

Portal Web server type:

·     CMCC—CMCC server.

·     IMC—IMC server.

Portal Web server

Name of the portal Web server.

URL

URL of the portal Web server.

URL parameters

URL parameters for the portal Web server.

VPN instance

This field is not supported in the current software version.

Name of the MPLS L3VPN where the portal Web server resides.

Server detection

Parameters for portal Web server detection:

·     Detection interval in seconds.

·     Maximum number of detection attempts.

·     Actions (log and trap) triggered by the reachability status change of the portal Web server.

Detection URL

Portal Web server detection URL.

Detection type

Type of portal Web server detection:

·     TCP.

·     HTTP.

IPv4 status

Current state of the IPv4 portal Web server:

·     Up—This value indicates one of the following conditions:

¡     Portal Web server detection is disabled.

¡     Portal Web server detection is enabled and the server is reachable.

·     Down—Portal Web server detection is enabled and the server is unreachable.

IPv6 status

Current state of the IPv6 portal Web server:

·     Up—This value indicates one of the following conditions:

¡     Portal Web server detection is disabled.

¡     Portal Web server detection is enabled and the server is reachable.

·     Down—Portal Web server detection is enabled and the server is unreachable.

Captive-bypass

Status of the captive-bypass feature:

·     Disabled—Captive-bypass is disabled.

·     Enabled—Captive-bypass is enabled.

·     Optimize Enabled—Optimized captive-bypass is enabled.

If-match

Match rules configured for URL redirection. This field displays Not configured if no match rules for URL redirection are configured.

 

Related commands

portal enable

portal web-server

server-detect (portal Web server view)

server-detect url

display web-redirect rule

Use display web-redirect rule to display information about Web redirect rules.

Syntax

display web-redirect rule { ap ap-name [ radio radio-id ] | interface interface-type interface-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).

radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify this option, the command displays Web redirect rules for all radios of the AP.

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display all Web redirect rules on VLAN-interface 100.

<Sysname> display web-redirect rule interface vlan-interface 100

IPv4 web-redirect rules on vlan-interface 100:

Rule 1:

 Type                : Dynamic

 Action              : Permit

 Status              : Active

 Source:

    IP             : 192.168.2.114

    VLAN           : Any

 

Rule 2:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    VLAN           : Any

    Protocol       : TCP

 Destination:

    Port           : 80

 

IPv6 web-redirect rules on vlan-interface 100:

Rule 1:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    VLAN           : Any

    Protocol       : TCP

 Destination:

    Port           : 80

# Display all Web redirect rules on AP ap1.

<Sysname> display web-redirect rule ap ap1

IPv4 web-redirect rules on ap1:

Radio ID: 1

SSID     : portal

Rule 1:

Type                : Dynamic

 Action              : Permit

 Status              : Active

 Source:

    IP             : 192.168.2.114

    VLAN           : Any

 

Rule 2:

 Type                : Static

 Action              : Redirect

 Status              : Active

 Source:

    VLAN           : Any

    Protocol       : TCP

 Destination:

    Port           : 80

Table 27 Command output

Field

Description

Rule

Number of the Web redirect rule.

Type

Type of the Web redirect rule:

·     Static—Static Web redirect rule, generated when the Web redirect feature takes effect.

·     Dynamic—Dynamic Web redirect rule, generated when a user visits a redirect webpage.

Action

Action in the Web redirect rule:

·     Permit—Allows packets to pass.

·     Redirect—Redirects the packets.

Status

Status of the Web redirect rule:

·     Active—The Web redirect rule is effective.

·     Inactive—The Web redirect rule is not effective.

Source

Source information in the Web redirect rule.

IP

Source IP address.

Mask

Subnet mask of the source IPv4 address.

Prefix length

Prefix length of the source IPv6 address.

VLAN

Source VLAN. If not specified, this field displays Any.

Protocol

Transport layer protocol in the Web redirect rule:

·     Any—No transport layer protocol is limited.

·     TCP—Transmission Control Protocol.

Destination

Destination information in the Web redirect rule.

Port

Destination transport layer port number. The default port number is 80.

 

exclude-attribute (MAC binding server view)

Use exclude-attribute to exclude an attribute from portal protocol packets.

Use undo exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

exclude-attribute attribute-number

undo exclude-attribute attribute-number

Default

No attributes are excluded from portal protocol packets.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

attribute-number: Specifies an attribute by its number in the range of 1 to 255.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. During MAC-trigger authentication, the device and the server cannot communicate if the device sends the portal authentication server a packet that contains an attribute unsupported by the server.

To address this issue, you can configure this command to exclude the unsupported attributes from portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes.

Table 28 describes all attributes of the portal protocol.

Table 28 Portal attributes

Name

Number

Description

UserName

1

Name of the user to be authenticated.

PassWord

2

User password in plaintext form.

Challenge

3

Random challenge for CHAP authentication.

ChapPassWord

4

CHAP password encrypted by MD5.

TextInfo

5

The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server.

The attribute value can be any string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.

UpLinkFlux

6

Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB.

DownLinkFlux

7

Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.

Port

8

Port information, a string excluding the end character '\0'.

IP-Config

9

This attribute has different meanings in different types of packets.

·     The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP.

·     The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.

BAS-IP

10

IP address of the access device. For re-DHCP portal authentication, the value of this attribute is the public IP address of the access device.

Session-ID

11

Identification of a portal user. Generally, the value of this attribute is the MAC address of the portal user.

Delay-Time

12

Delay time for sending a packet. This attributes exists in NTF_LOGOUT (Type=0x08) packets.

User-List

13

List of IP addresses of an IPv4 portal user.

EAP-Message

14

An EAP attribute that needs to be transported transparently. This attribute is applicable to EAP TLS authentication. Multiple EAP-Message attributes can exist in a portal authentication packet.

User-Notify

15

Value of the hw_User_Notify attribute in a RADIUS accounting response. This attribute needs to be transported transparently.

BAS-IPv6

100

IPv6 address of the access device.

UserIPv6-List

101

List of IPv6 addresses of an IPv6 portal user.

 

Examples

# Exclude the BAS-IP attribute (number 10) from portal packets sent to MAC binding server 123.

<Sysname> system-view

[Sysname] portal mac-trigger-server 123

[Sysname-portal-mac-trigger-server-123] exclude-attribute 10

exclude-attribute (portal authentication server view)

Use exclude-attribute to exclude an attribute from portal protocol packets.

Use undo exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

exclude-attribute number { ack-auth | ack-logout | ntf-logout }

undo exclude-attribute number { ack-auth | ack-logout | ntf-logout }

Default

No attributes are excluded from portal protocol packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

number: Specifies an attribute by its number in the range of 1 to 255.

ack-auth: Excludes the attribute from ACK_AUTH packets.

ack-logout: Excludes the attribute from ACK_LOGOUT packets.

ntf-logout: Excludes the attribute from NTF_LOGOUT packets.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.

To address this issue, you can configure this command to exclude the unsupported attributes from specific portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes. For an excluded attribute, you can specify multiple types of portal protocol packets (ack-auth, ntf-logout, and ack-logout).

Table 29 describes all attributes of the portal protocol.

Table 29 Portal attributes

Name

Number

Description

UserName

1

Name of the user to be authenticated.

PassWord

2

User password in plaintext form.

Challenge

3

Random challenge for CHAP authentication.

ChapPassWord

4

CHAP password encrypted by MD5.

TextInfo

5

The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server.

The attribute value can be any string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.

UpLinkFlux

6

Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB.

DownLinkFlux

7

Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.

Port

8

Port information, a string excluding the end character '\0'.

IP-Config

9

This attribute has different meanings in different types of packets.

·     The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP.

·     The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.

BAS-IP

10

IP address of the access device. For re-DHCP portal authentication, the value of this attribute is the public IP address of the access device.

Session-ID

11

Identification of a portal user. Generally, the value of this attribute is the MAC address of the portal user.

Delay-Time

12

Delay time for sending a packet. This attributes exists in NTF_LOGOUT (Type=0x08) packets.

User-List

13

List of IP addresses of an IPv4 portal user.

EAP-Message

14

An EAP attribute that needs to be transported transparently. This attribute is applicable to EAP TLS authentication. Multiple EAP-Message attributes can exist in a portal authentication packet.

User-Notify

15

Value of the hw_User_Notify attribute in a RADIUS accounting response. This attribute needs to be transported transparently.

BAS-IPv6

100

IPv6 address of the access device.

UserIPv6-List

101

List of IPv6 addresses of an IPv6 portal user.

 

Examples

# Exclude the UpLinkFlux attribute (number 6) from portal ACK_AUTH packets.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] exclude-attribute 6 ack-auth

Related commands

display portal server

free-traffic threshold

Use free-traffic threshold to set the free-traffic threshold for portal users.

Use undo free-traffic threshold to restore the default.

Syntax

free-traffic threshold value

undo free-traffic threshold

Default

The free-traffic threshold is 0 bytes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the free-traffic threshold in the range of 0 to 10240000 bytes. If the free-traffic threshold is set to 0, the device immediately triggers MAC-based quick portal authentication for a user once the user's traffic is detected.

Usage guidelines

After MAC-based quick portal authentication is configured, the device monitors a user's network traffic (sent and received) in real time before the MAC-trigger entry for the user ages out. A user can access the network without authentication if the user's network traffic is below the free-traffic threshold. When the user's network traffic reaches the threshold, the device triggers MAC-based quick portal authentication for the user.

If the user passes portal authentication, the device deletes the MAC-trigger entry and clears the user traffic statistics. If the user fails authentication, the device does not trigger MAC-based quick authentication for the user before the MAC-trigger entry ages out. When the MAC-trigger entry ages out, the device clears the user traffic statistics.

When traffic is detected from the user again, the device re-creates a MAC-trigger entry for the user and repeats the previous procedure.

Examples

# Set the free-traffic threshold for portal users to 10240 bytes.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] free-traffic threshold 10240

Related commands

display portal mac-trigger-server

if-match

Use if-match to configure a match rule for URL redirection.

Use undo if-match to delete a URL redirection match rule.

Syntax

if-match { original-url url-string redirect-url url-string [ url-param-encryption { aes | des } key { cipher | simple } string ] | user-agent string redirect-url url-string }

undo if-match { original-url url-string | user-agent user-agent }

 

Default

No URL redirection match rules exist.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

original-url url-string: Specifies a URL string to match the URL in HTTP or HTTPS requests of a portal user. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

url-param-encryption: Specifies an encryption algorithm to encrypt the parameters carried in the redirection URL. If you do not specify an encryption algorithm, the parameters carried in the redirection URL are not encrypted.

aes: Specifies the AES algorithm.

des: Specifies the DES algorithm.

key: Specifies a key for encryption.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:

·     If des cipher is specified, the string length is 41 characters.

·     If des simple is specified, the string length is 8 characters.

·     If aes cipher is specified, the string length is 1 to 73 characters.

·     If aes simple is specified, the string length is 1 to 31 characters.

user-agent user-agent: Specifies a user agent string to match the User-Agent string in HTTP/HTTPS requests. The user agent string is a case-sensitive string of 1 to 255 characters. The User-Agent string in HTTP or HTTPS requests includes information about hardware manufacturer, operating system, browser, and search engine.

Usage guidelines

A URL redirection match rule matches HTTP or HTTPS requests by user-requested URL or User-Agent information, and redirects the matching HTTP or HTTPS requests to the specified redirection URL.

For a user to successfully access a redirection URL, configure a portal-free rule to allow HTTP or HTTPS requests destined for the redirection URL to pass. For information about configuring portal-free rules, see the portal free-rule command.

For a portal Web server, you can configure the url command and the if-match command for URL redirection. The url command redirects all HTTP or HTTPS requests from unauthenticated users to the portal Web server for authentication. The if-match command allows for flexible URL redirection by redirecting specific HTTP or HTTPS requests to specific redirection URLs. If both commands are executed, the if-match command takes priority to perform URL redirection.

If both portal safe-redirect and URL redirection match rules are configured, the device preferentially uses URL redirection match rules to perform URL redirection.

If you configure encryption for parameters in the redirection URL, you must add an encryption prompt field after the redirection URL address. For example, to redirect HTTP requests to URL 10.1.1.1 with encrypted URL parameters, specify the redirection URL as http://10.1.1.1?yyyy=. The value of yyyy depends on the portal Web server configuration. For more information, see the portal Web server configuration guide.

You can configure a redirection URL in one of the following ways:

·     For exact match—Specify a complete URL. For example, if you configure the URL as abc.com.cn, only Web requests that contain URL abc.com.cn match the rule.

·     For fuzzy match—Specify a URL by placing the asterisk (*) wildcard character at the beginning or end of the URL string. For example, if you configure the URL as *abc.com.cn, abc*, or *abc*, Web requests that carry the URL ending with abc.com.cn, starting with abc, or including abc match the rule.

¡     The asterisk (*) wildcard character represents any characters. The device treats multiple consecutive asterisks as one.

¡     The configured URL cannot contain only asterisks (*).

You cannot configure two URL redirection match rules with the same user-requested URL.

Examples

# Configure a match rule to redirect HTTP requests destined for the URL http://www.abc.com.cn to the URL http://192.168.0.1.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn redirect-url http://192.168.0.1

# Configure a match rule to redirect HTTP requests that carry the user agent string 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to the URL http://192.168.0.1.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1

Related commands

display portal web-server

portal free-rule

url

url-parameter

if-match temp-pass

Use if-match temp-pass to configure a match rule for temporary pass.

Use undo if-match temp-pass to restore the default.

Syntax

if-match { original-url url-string | user-agent user-agent } * temp-pass [ redirect-url url-string | original ]

undo if-match { original-url url-string | user-agent user-agent } * temp-pass

Default

No match rules for temporary pass are configured.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

original-url url-string: Specifies a URL string to match the URL in HTTP/HTTPS requests of portal users. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

user-agent user-agent: Specifies a user agent string to match the User-Agent string in HTTP/HTTPS requests. The user agent string is a case-sensitive string of 1 to 255 characters. The User-Agent string in HTTP or HTTPS requests includes information about hardware manufacturer, operating system, browser, and search engine.

redirect-url url-string: Redirects the matching Web requests to the specified URL. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.

original: Redirects the matching Web requests to the originally requested URLs.

Usage guidelines

A match rule for temporary pass matches Web requests by URL or User-Agent information. Only the matching Web requests are temporarily permitted to pass.

A permitted request can be redirected to the specified redirection URL or to the originally requested URL, depending on the redirection action in the match rule. If you do not configure a redirection action (by using the redirect-url url-string option or the original keyword), the device permits the matching requests to pass without redirection.

For the match rules to take effect, make sure the portal temporary pass feature is enabled.

If you configure the same match criteria but different redirection actions in two match rules, the new configuration overwrites the existing one.

If both portal safe-redirect and portal temporary pass match rules are configured, portal temporary pass match rules take precedence.

Examples

# Configure a temporary pass rule to temporarily allow user packets that access URL http://www.abc.com.cn to pass.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn temp-pass

# Configure a temporary pass rule to temporarily allow user packets that access the URL http://www.abc.com.cn/ to pass and then redirect the packets to the originally requested URL.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn temp-pass original

# Configure a temporary pass rule to allow user packets that contain user agent information 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to pass and then redirect the packets to URL http://192.168.0.1.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 temp-pass redirect-url http://192.168.0.1

# Configure a temporary pass rule. This rule allows user packets that access the URL  http://www.abc.com.cn/ and contain user agent information 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to pass and then redirects the packets to URL http://192.168.0.1.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] if-match original-url http://www.123.com.cn user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 temp-pass redirect-url http://192.168.0.1

Related commands

display portal web-server

portal free-rule

portal temp-pass enable

url

url-parameter

ip (MAC binding server view)

Use ip to specify the IP address of a MAC binding server.

Use undo ip to restore the default.

Syntax

ip ipv4-address [ key { cipher | simple } string ]

undo ip

Default

The IP address of the MAC binding server is not specified.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IP address of a MAC binding server.

key: Specifies a shared key to be used to authenticate packets between the device and the MAC binding server. Portal packets exchanged between the device and MAC binding server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to verify the correctness of the received portal packets. If you do not specify a shared key, the device and MAC binding server do not authenticate the packets between them.

cipher: Specifies a shared key in encrypted form.

simple: Specifies a shared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the shared key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Specify 192.168.0.111 as the IP address of MAC binding server mts and portal as the plaintext key.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal

Related commands

display portal mac-trigger-server

ip (portal authentication server view)

Use ip to specify the IPv4 address of a portal authentication server.

Use undo ip to restore the default.

Syntax

ip ipv4-address [ key { cipher | simple } string ]

undo ip

Default

The IPv4 address of the portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the portal authentication server.

key: Specifies a shared key for communication with the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

A portal authentication server has only one IPv4 address. Therefore, in portal authentication server view, only one IPv4 address exists. If you execute this command multiple times, the most recent configuration takes effect.

Do not configure the same IPv4 address for different portal authentication servers.

Examples

# Specify 192.168.0.111 as the IPv4 address of portal authentication server pts and plaintext key portal as the shared key for communication with the portal authentication server.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ip 192.168.0.111 key simple portal

Related commands

display portal server

portal server

ipv6 (MAC binding server view)

Use ipv6 to specify the IPv6 address of a MAC binding server.

Use undo ipv6 to restore the default.

Syntax

ipv6 ipv6-address [ key { cipher | simple } string ]

undo ipv6

Default

The IPv6 address of the MAC binding server is not specified.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of a MAC binding server.

key: Specifies a shared key to be used to authenticate packets between the device and the MAC binding server. Portal packets exchanged between the device and MAC binding server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to verify the correctness of the received portal packets. If you do not specify a shared key, the device and MAC binding server do not authenticate the packets between them.

cipher: Specifies a shared key in encrypted form.

simple: Specifies a shared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the shared key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.

Examples

# Specify 2001::1 as the IPv6 address of MAC binding server mts and plaintext key portal as the shared key.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] ipv6 2001::1 key simple portal

Related commands

display portal mac-trigger-server

ipv6 (portal authentication server view)

Use ipv6 to specify the IPv6 address of a portal authentication server.

Use undo ipv6 to restore the default.

Syntax

ipv6 ipv6-address [ key { cipher | simple } string ]

undo ipv6

Default

The IPv6 address of the portal authentication server is not specified.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of the portal authentication server.

key: Specifies a shared key for communication with the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

A portal authentication server has only one IPv6 address. Therefore in portal authentication server view, only one IPv6 address exists. If you execute this command multiple times, the most recent configuration takes effect.

Do not configure the same IPv6 address for different portal authentication servers.

Examples

# Specify 2000::1 as the  IPv6 address of portal authentication server pts and plaintext key portal as the shared key for communication with the portal authentication server.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] ipv6 2000::1 key simple portal

Related commands

display portal server

portal server

local-binding aging-time

Use local-binding aging-time to set the aging time for local MAC-account binding entries.

Use undo local-binding aging-time to restore the default.

Syntax

local-binding aging-time minutes

undo local-binding aging-time

Default

The aging time for local MAC-account binding entries is 720 minutes.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

minutes: Specifies the aging time for local MAC-account binding entries. The value range for this argument is 1 to 129600 minutes.

Usage guidelines

The local MAC binding server uses a local MAC-account binding entry to record the MAC address and portal account information (username and password) of a portal user.

The local MAC-account binding entry of a portal user is deleted when the entry ages out. The device creates a local MAC-account binding entry for the user again when the user triggers and passes a new portal authentication.

If you disable local MAC-trigger authentication, the device does not delete existing local MAC-account binding entries. These entries are automatically deleted when they age out.

Examples

# Set the aging time for local MAC-account binding entries to 240 minutes in the view of MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] local-binding aging-time 240

Related commands

display portal mac-trigger-server

local-binding enable

local-binding enable

Use local-binding enable to enable local MAC-trigger authentication.

Use undo local-binding enable to disable local MAC-trigger authentication.

Syntax

local-binding enable

undo local-binding enable

Default

Local MAC-trigger authentication is disabled.

Views

MAC binding server view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to act as a local MAC binding server to provide MAC-trigger authentication for local portal authentication users.

After a user passes portal authentication for the first time, the access device (local MAC binding server) generates a local MAC-account binding entry for the user. The local MAC binding-account entry records the MAC address and portal account information (username and password) of the user. Then, the user can automatically connect to the network without manual authentication for subsequent network access attempts.

Examples

# Enable local MAC-trigger authentication in the view of MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] local-binding enable

Related commands

display portal mac-trigger-server

local-binding aging-time

login failed-url

Use login failed-url to configure the redirect URL for authentication failure.

Use undo login failed-url to restore the default.

Syntax

login failed-url url-string

undo login failed-url

Default

No redirection URL for authentication failure is configured.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

url-string: Specifies the redirect URL for authentication failure, a case-sensitive string of 1 to 256 characters.

Usage guidelines

The device redirects portal users to the specified URL after they fail authentication.

Examples

# Configure the redirect URL for authentication failure as https://1.1.1.1/portal/iselogin.html.

<Sysname> system-view

[Sysname] portal local-web-server https

[Sysname-portal-local-websvr-https] login failure-url https://1.1.1.1/portal/iselogin.html

login success-url

Use login success-url to configure the redirect URL for authentication success.

Use undo login success-url to restore the default.

Syntax

login success-url url-string

undo login success-url

Default

No redirection URL for authentication success is configured.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

url-string: Specifies the redirect URL for authentication success, a case-sensitive string of 1 to 256 characters.

Usage guidelines

The device redirects portal users to the specified URL after they pass authentication.

Examples

# Configure the redirect URL for authentication success as https://1.1.1.1/portal/iselogin.html.

<Sysname> system-view

[Sysname] portal local-web-server https

[Sysname-portal-local-websvr-https] login success-url https://1.1.1.1/portal/iselogin.html

logon-page bind

Use logon-page bind to bind an endpoint name, SSID, or endpoint type to an authentication page file.

Use undo logon-page bind to unbind the endpoint name, SSID, or endpoint type from the authentication page file.

Syntax

logon-page bind { device-type { computer | pad | phone } | device-name device-name | ssid ssid-name } * file file-name

undo logon-page bind { all | device-type { computer | pad | phone } | device-name device-name | ssid ssid-name } *

Default

No endpoint name, SSID, or endpoint type is bound to an authentication page file.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

all: Specifies all endpoint names, SSIDs, and endpoint types.

device-type type-name: Specifies an endpoint type.

computer: Specifies the endpoint type as computer.

pad: Specifies the endpoint type as tablet.

phone: Specifies the endpoint type as mobile phone.

device-name device-name: Specify an endpoint by its name, a case-sensitive string of 1 to 127 characters. The specified endpoint name must have been predefined on the device. Otherwise, the bound authentication page file does not take effect.

ssid ssidname: Specifies an SSID by its name, a case-insensitive string of 1 to 32 characters. An SSID string can contain letters, digits, and spaces, but the start and end characters cannot be spaces. An SSID string cannot be f, fi, fil, or file.

file file-name: Specifies an authentication page file by the file name (without the file storage directory). A file name is a string of 1 to 91 characters, and can contain letters, digits, and underscores (_). You must edit the authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.

Usage guidelines

This command implements customized authentication page pushing for portal users. After you configure this command, the device pushes authentication pages to users according to the user's, endpoint name, SSID, and endpoint type.

When a Web user triggers local portal authentication, the device searches for a binding that matches the user's endpoint name, SSID, and endpoint type.

·     If the binding exists, the device pushes the bound authentication pages to the user.

·     If multiple matching binding entries are found, the device selects an entry in the following order:

a.     The entry that specifies the SSID, endpoint name, and endpoint type.

b.     The entry that specifies the SSID and endpoint name.

c.     The entry that specifies the SSID and endpoint type.

d.     The entry that specifies only the SSID.

e.     The entry that specifies the endpoint name and endpoint type.

f.     The entry that specifies only the endpoint name.

g.     The entry that specifies only the endpoint type.

·     If the binding does not exist, the device pushes the default authentication pages to the user.

When you configure this command, follow these restrictions and guidelines:

·     If the name or content of the file in a binding entry is changed, you must reconfigure the binding.

·     To reconfigure or modify a binding, you can simply re-execute this command without canceling the existing binding.

·     If you execute this command multiple times to bind an endpoint name, SSID, or endpoint type to different authentication page files, the most recent configuration takes effect.

·     You can configure multiple binding entries on the device.

Examples

# Create an HTTP-based local portal Web service.

<Sysname> system-view

[Sysname] portal local-web-server http

# Bind SSID SSID1 to authentication page file file1.zip.

[Sysname-portal-local-websvr-http] logon-page bind ssid SSID1 file file1.zip

# Bind endpoint type phone to authentication page file file2.zip.

[Sysname-portal-local-websvr-http] logon-page bind device-type phone file file2.zip

Related commands

default-logon-page

portal local-web-server

logout-notify

Use logout-notify to set the maximum number of times and the interval for retransmitting a logout notification packet.

Use undo logout-notify to restore the default.

Syntax

logout-notify retry retries interval interval

undo logout-notify

Default

The device does not retransmit a logout notification packet.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

retry retries: Specifies the maximum number of retries, in the range of 1 to 5.

interval interval: Specifies the retry interval, in the range of 1 to 10 seconds.

Usage guidelines

A logout notification packet is a UDP packet that the device sends to the portal authentication server for forcibly logging out a portal user. To increase the delivery reliability, you can set the maximum number of times and the interval for retransmitting a logout notification packet.

After the device sends a logout notification packet for logging out a portal user, it waits for a response from the portal authentication server. If the device receives a response within the specified period of time (maximum number of retries × retry interval), it logs out and deletes the user immediately. If the device does not receive a response within the period of time, the device logs out and deletes the user when the period of time elapses.

Examples

# Set the maximum number of times for retransmitting a logout notification packet to 3 and the retry interval to 5 seconds.

<Sysname> system-view

[Sysname] portal server pt

[Sysname-portal-server-pt] logout-notify retry 3 interval 5

Related commands

display portal server

mail-domain-name

Use mail-domain-name to specify an email domain name for email authentication.

Use undo mail-address to remove an email domain name for email authentication.

Syntax

mail-domain-name string

undo mail-domain-name [ string ]

Default

No email domain names are specified for email authentication.

Views

Email authentication server view

Predefined user roles

network-admin

Parameters

string: Specifies an email domain name for email authentication, a case-sensitive string of 1 to 255 characters, in the format of @XXX.XXX.

Usage guidelines

If you do not specify an email domain name in the undo form of this command, this command removes all email domain names for email authentication.

After you configure this command, the device performs email authentication only on portal users that use the specified email domain names.

You can specify a maximum of 16 email domain names for email authentication.

Examples

# Specify @qq.com and @sina.com email domain names for email authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server mail

[Sysname-portal-extend-auth-server-mail] mail-domain-name @qq.com

[Sysname-portal-extend-auth-server-mail] mail-domain-name @Sina.com

Related commands

display portal extend-auth-server

mail-protocol

Use mail-protocol to specify protocols for email authentication.

Use undo mail-protocol to restore the default.

Syntax

mail-protocol { imap | pop3 } *

undo mail-protocol

Default

No protocols are specified for email authentication.

Views

Email authentication server view

Predefined user roles

network-admin

Parameters

imap: Specifies the Internet Message Access Protocol (IMAP).

pop3: Specifies the Post Office Protocol 3 (POP3).

Usage guidelines

This command specifies email protocols that the device uses to interact with the email server to perform authentication and authorization on portal users who uses email authentication.

Examples

# Specify POP3 as the protocol for email authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server mail

[Sysname-portal-extend-auth-server-mail] mail-protocol pop3

Related commands

display portal extend-auth-server

nas-port-type

Use nas-port-type to specify the NAS-Port-Type value carried in RADIUS requests sent to the RADIUS server.

Use undo nas-port-type to restore the default.

Syntax

nas-port-type value

undo nas-port-type

Default

The NAS-Port-Type value carried in RADIUS requests is not set.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

value: Specifies the NAS-Port-Type value in the range of 1 to 255.

Usage guidelines

Some MAC binding servers identify MAC-based quick portal authentication by a specific NAS-Port-Type value in received RADIUS requests. To communicate with such a MAC binding server, you must configure the device to use the NAS-Port-Type value required by the MAC binding server.

Examples

# Set the NAS-Port-Type value in RADIUS requests sent to the MAC binding server mts to 30.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] nas-port-type 30

Related commands

display portal mac-trigger-server

port (MAC binding server view)

Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The MAC binding server listens for MAC binding query packets on UDP port 50100.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

port-number: Specifies the listening UDP port number in the range of 1 to 65534.

Usage guidelines

The specified port number must be the same as the query listening port number configured on the MAC binding server.

Examples

# Set the UDP port number to 1000 for the MAC binding server pts to listen for MAC binding query packets.

<sysname> system-view

[sysname] portal mac-trigger-server mts

[sysname-portal-mac-trigger-server-mts] port 1000

Related commands

display portal mac-trigger-server

port (portal authentication server view)

Use port to set the destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The device uses 50100 as the destination UDP port number for unsolicited portal packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

port-number: Specifies a destination UDP port number the device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534.

Usage guidelines

The specified port must be the port that listens to portal packets on the portal authentication server.

Examples

# Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to the portal authentication server pts.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] port 50000

Related commands

portal server

portal accounting-separate enable

Use portal accounting-separate enable to enable per-IP accounting for dual-stack portal users or portal users with multiple IPv6 addresses.

Use undo portal accounting-separate enable to disable per-IP accounting for dual-stack portal users or portal users with multiple IPv6 addresses.

Syntax

portal accounting-separate enable

undo portal accounting-separate enable

Default

Per-IP accounting is disabled for dual-stack portal users or portal users with multiple IPv6 addresses.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the accounting server to charge portal users on a per IP address basis. For dual-stack portal users, the accounting device performs separate accounting on traffic for the IPv4 address and the IPv6 address. For portal users with multiple IPv6 addresses, the accounting device performs separate accounting on each IPv6 address.

The accounting server can perform accounting on traffic of up to five IP addresses. If a portal user has more than five IPv6 addresses, the accounting server performs accounting on traffic of the most recent five IPv6 addresses.

For dual-stack portal users, this feature takes effect only when portal dual-stack feature is enabled.

This feature takes effect on portal users that come online after the command execution. It does not affect the accounting on existing online portal users.

Examples

# Enable per-IP accounting for dual-stack portal users or portal users with multiple IPv6 addresses.

<Sysname> system-view

[Sysname] portal accounting-separate enable

Related commands

portal dual-stack enable

portal apply mac-trigger-server

Use portal apply mac-trigger-server to specify a MAC binding server.

Use undo portal apply mac-trigger-server to restore the default.

Syntax

Interface view:

portal [ ipv6 ] apply mac-trigger-server server-name

undo [ ipv6 ] portal apply mac-trigger-server

Service template view:

portal apply mac-trigger-server server-name

undo portal apply mac-trigger-server

Default

No MAC binding server is specified.

Views

VLAN interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 MAC binding server. To specify an IPv4 MAC binding server, do not speicvcy this keyword.

server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

Only direct portal authentication supports MAC-based quick portal authentication.

You can specify both an IPv4 MAC binding server and an IPv6 MAC binding server on an interface.

For MAC-based quick portal authentication to take effect, perform the following tasks:

·     Configure normal portal authentication.

·     Configure a MAC binding server.

·     Specify the MAC binding server on a portal-enabled VLAN interface or service template.

Examples

# Specify IPv4 MAC binding server mts on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal apply mac-trigger-server mts

Related commands

portal mac-trigger-server

portal apply web-server

Use portal apply web-server to specify a portal Web server. The device redirects the HTTP or HTTPS requests sent by unauthenticated portal users to the portal Web server.

Use undo portal apply web-server to delete a portal Web server.

Syntax

portal [ ipv6 ] apply web-server server-name [ secondary ]

undo portal [ ipv6 ] apply web-server [ server-name ]

Default

No portal Web servers are specified.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 portal Web server. If the server is an IPv4 portal Web server, do not specify this keyword.

secondary: Specifies the backup portal Web server. If you do not specify this keyword, the specified server is the primary portal Web server.

server-name: Specifies a portal Web server to be specified on the interface by its name, a case-sensitive string of 1 to 32 characters. The name must already exist. If you do not specify a server name in the undo form of this command, all portal Web servers on the interface or service template are removed.

Usage guidelines

IPv4 and IPv6 portal authentication can both be enabled on an interface or on a service template.

You can specify both a primary portal Web server and a backup portal Web server after enabling each type (IPv4 or IPv6) of portal authentication.

The device first uses the primary portal Web server for portal authentication. When the primary portal Web server is unreachable but the backup portal Web server is reachable, the device uses the backup portal Web server. When the primary portal Web server becomes reachable, the device switches back to the primary portal Web server for portal authentication.

To automatically switch between the primary portal Web server and the backup portal Web server, configure portal Web server detection on both servers.

Examples

# Specify portal Web server wbs as the backup portal Web server on service template service1 for portal authentication.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal apply web-server wbs secondary

Related commands

display portal

portal fail-permit server

portal web-server

server-detect (portal Web server view)

portal auth-error-record enable

Use portal auth-error-record enable to enable portal authentication error recording.

Use undo portal auth-error-record enable to disable portal authentication error recording.

Syntax

portal auth-error-record enable

undo portal auth-error-record enable

Default

Portal authentication error recording is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to save all portal authentication error records and to periodically send the records to the server.

Examples

# Enable portal authentication error recording.

<Sysname> system-view

[Sysname] portal auth-error-record enable

Related commands

display portal auth-error-record

portal auth-error-record export

Use portal auth-error-record export to export portal authentication error records to a path.

Syntax

portal auth-error-record export url url-string [ start-time start-date start-time end-time end-date end-time ]

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the URL to which portal authentication error records are exported. The URL is a case-insensitive string of 1 to 255 characters.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

Usage guidelines

The device supports FTP, TFTP, and HTTP file transfer methods. Table 30 describes the valid URL format for each method.

Table 30 URL formats

Protocol

URL format

Remarks

FTP

ftp://username[:password]@server-address[:port-number]/file-path

Example: ftp://a:1@1.1.1.1/authfail/

The username and password must be the same as those on the server.

If the server authenticates only the username, no password is required.

TFTP

tftp://server-address[:port-number]/file-path

Example: tftp://1.1.1.1/ autherror/

N/A

HTTP

http://username[:password]@server-address[:port-number]/file-path

Example: http://1.1.1.1/autherror/

The username and password must be the same as those on the server.

If the server authenticates only the username, no password is required.

 

If the server address is an IPv6 address, bracket the IPv6 address to distinguish the IPv6 address from the port number. For example, if the server address is 2001::1 and the port number is 21, the URL is ftp://test:test@[2001::1]/test/.

Examples

# Export all portal authentication error records to path tftp://1.1.1.1/record/autherror/.

<Sysname> system-view

[Sysname] portal auth-error-record export url tftp://1.1.1.1/record/autherror/

# Export portal authentication error records in the time range from 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/autherror/.

<Sysname> system-view

[Sysname] portal auth-error-record export url tftp://1.1.1.1/record/autherror/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00

Related commands

display portal auth-error-record

portal auth-error-record enable

reset portal auth-error-record

portal auth-error-record max

Use portal auth-error-record max to set the maximum number of portal authentication error records.

Use undo portal auth-error-record max to restore the default.

Syntax

portal auth-error-record max number

undo portal auth-error-record max

Default

The device supports a maximum of 6000 portal authentication error records.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of portal authentication error records. The value range for this argument is 1 to 6000.

Usage guidelines

When the maximum number of portal authentication error records is reached, a new record overwrites the oldest one.

Examples

# Set the maximum number of portal authentication error records to 50.

<Sysname> system-view

[Sysname] portal auth-error-record max 50

Related commands

display portal auth-error-record

portal auth-fail-record enable

Use portal auth-fail-record enable to enable portal authentication failure recording.

Use undo portal auth-fail-record enable to disable portal authentication failure recording.

Syntax

portal auth-fail-record enable

undo portal auth-fail-record enable

Default

Portal authentication failure recording is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to save portal authentication failure records and to periodically send the records to the server.

Examples

# Enable portal authentication failure recording.

<Sysname> system-view

[Sysname] portal auth-fail-record enable

Related commands

display portal auth-fail-record

portal auth-fail-record export

Use portal auth-fail-record export to export portal authentication failure records to a path.

Syntax

portal auth-fail-record export url url-string [ start-time start-date start-time end-time end-date end-time ]

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the URL to which portal authentication failure records are exported. The URL is a case-insensitive string of 1 to 255 characters.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

Usage guidelines

The device supports FTP, TFTP, and HTTP file transfer methods. Table 31 describes the valid URL format for each method.

Table 31 URL formats

Protocol

URL format

Remarks

FTP

ftp://username[:password]@server-address[:port-number]/file-path

Example: ftp://a:1@1.1.1.1/authfail/

The username and password must be the same as those on the server.

If the server authenticates only the username, no password is required.

TFTP

tftp://server-address[:port-number]/file-path

Example: tftp://1.1.1.1/ autherror/

N/A

HTTP

http://username[:password]@server-address[:port-number]/file-path

Example: http://1.1.1.1/autherror/

The username and password must be the same as those on the server.

If the server authenticates only the username, no password is required.

 

If the server address is an IPv6 address, bracket the IPv6 address to distinguish the IPv6 address from the port number. For example, if the server address is 2001::1 and the port number is 21, the URL is ftp://test:test@[2001::1]/test/.

Examples

# Export all portal authentication failure records to path tftp://1.1.1.1/record/authfail/.

<Sysname> system-view

[Sysname] portal auth-fail-record export url tftp://1.1.1.1/record/authfail/

# Export portal authentication failure records in the time range from 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/authfail/.

<Sysname> system-view

[Sysname] portal auth-fail-record export url tftp://1.1.1.1/record/authfail/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00

Related commands

display portal auth-fail-record

portal auth-fail-record enable

reset portal auth-fail-record

portal auth-fail-record max

Use portal auth-fail-record max to set the maximum number of portal authentication failure records.

Use undo portal auth-fail-record max to restore the default.

Syntax

portal auth-fail-record max number

undo portal auth-fail-record max

Default

The device supports a maximum of 6000 portal authentication failure records.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of portal authentication failure records. The value range for this argument is 1 to 6000.

Usage guidelines

When the maximum number of portal authentication failure records is reached, a new record overwrites the oldest one.

Examples

# Set the maximum number of portal authentication failure records to 50.

<Sysname> system-view

[Sysname] portal auth-fail-record max 50

Related commands

display portal auth-fail-record

portal authorization strict-checking

Use portal authorization strict-checking to enable strict checking on portal authorization information.

Use undo portal authorization strict-checking to disable strict checking on portal authorization information.

Syntax

portal authorization { acl | user-profile } strict-checking

undo portal authorization { acl | user-profile } strict-checking

Default

Strict checking mode on portal authentication information is disabled. If an authorized ACL or user profile does not exist on the device or the ACL or user profile fails to be deployed, the user will not be logged out.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

acl: Enables strict checking on authorized ACLs.

user-profile: Enables strict checking on authorized user profiles.

Usage guidelines

The strict checking feature on an interface or service template allows a portal user to stay online only when the authorization information for the user is successfully deployed. The strict checking fails if the authorized ACL or user profile does not exist on the device or the device fails to deploy the authorized ACL or user profile.

You can enable strict checking on the authorized ACL, authorized user profile, or both. If you enable both strict ACL checking and user profile checking, the user will be logged out if either checking fails.

Examples

# Enable strict checking on authorized ACLs on service template service1.

<Sysname> system-view  

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal authorization acl strict-checking

Related commands

display portal

portal captive-bypass optimize delay

Use portal captive-bypass optimize delay to set the captive-bypass detection timeout time.

Use undo portal captive-bypass optimize delay to restore the default.

Syntax

portal captive-bypass optimize delay seconds

undo portal captive-bypass optimize delay

Default

The captive-bypass detection timeout time is 6 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the captive-bypass detection timeout time, in the range of 1 to 120 seconds.

Usage guidelines

This command applies only to iOS mobile clients.

With optimized captive-bypass enabled, the device automatically pushes the portal authentication page to iOS mobile devices when they are connected to the network. Users can perform authentication on the page or press the home button to return to the desktop without performing authentication, and the Wi-Fi connection is not terminated.

Optimized captive-bypass might fail when the network condition is poor. The device cannot detect a server reachability detection packet from an iOS mobile device within the captive-bypass detection timeout time. Therefore, the Wi-Fi connection will be terminated on the iOS mobile device. To avoid Wi-Fi disconnections caused by server reachability detection failure, you can set a longer captive-bypass detection timeout time when the network condition is poor.

Examples

# Set the captive-bypass detection timeout time to 20 seconds.

<Sysname> system-view

[Sysname] portal captive-bypass optimize delay 20

Related commands

captive-bypass enable

portal cloud report interval

Use portal cloud report interval to configure the time interval at which portal authentication information is reported to the cloud platform.

Use undo portal cloud report interval to restore the default.

Syntax

portal cloud report interval minutes

undo portal cloud report interval

Default

The portal authentication information is reported to the cloud platform at intervals of 5 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

minutes: Specifies the time interval at which portal authentication information is reported to the cloud platform. The value range for the time interval is 0 to 60 minutes. If you set the interval to 0 minutes, the device does not report portal authentication information to the cloud platform.

Usage guidelines

After you configure this command, the device reports portal authentication failure and error information to the cloud platform. The first report is sent to the cloud platform 30 seconds after the device is connected to the server. The subsequent reports are sent at regularly intervals as configured by the command.

If you modify the report interval, the modified interval takes effect for the next report.

Examples

# Configure the device to report portal authentication failure and error information to the cloud platform at intervals of 60 minutes.

<Sysname> system-view

[Sysname] portal cloud report interval 60

portal delete-user

Use portal delete-user to log out online portal users.

Syntax

portal delete-user { ipv4-address | all | auth-type { cloud | email | facebook | local | normal | qq | wechat } | interface interface-type interface-number | ipv6 ipv6-address | mac mac-address | username username }

Views

System view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IP address of an IPv4 online portal user.

all: Specifies IPv4 and IPv6 online portal users on all interfaces.

auth-type: Specifies online portal users by the authentication type.

cloud: Specifies the cloud authentication.

email: Specifies the email authentication.

facebook: Specifies the Facebook authentication.

local: Specifies the local authentication.

normal: Specifies the normal authentication.

qq: Specifies the QQ authentication.

wechat: Specifies the WeChat authentication.

interface interface-type interface-number: Specifies an interface by its type and number. If you specify this option, this command logs out all IPv4 and IPv6 online portal users on the interface.

ipv6 ipv6-address: Specifies the IP address of an IPv6 online portal user.

mac mac-address: Specifies the MAC address of an online portal user, in the format of H-H-H.

username username: Specifies the username of an online portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Log out the portal user whose IP address is 1.1.1.1.

<Sysname> system-view

[Sysname] portal delete-user 1.1.1.1

# Log out the portal user whose MAC address is 000d-88f8-0eab.

<Sysname> system-view

[Sysname] portal delete-user mac 000d-88f8-0eab

# Log out all portal users that come online through email authentication.

<Sysname> system-view

[Sysname] portal delete-user auth-type email

# Log out the portal user whose username is abc.

<Sysname> system-view

[Sysname] portal delete-user username abc

Related commands

display portal user

portal device-id

Use portal device-id to specify the device ID.

Use undo portal device-id to restore the default.

Syntax

portal device-id device-id

undo portal device-id

Default

A device is not configured with a device ID.

Views

System view

Predefined user roles

network-admin

Parameters

device-id: Specifies a device ID for the device, a case-sensitive string of 1 to 63 characters.

Usage guidelines

The portal authentication server uses device IDs to identify the device that sends protocol packets to the portal server.

Make sure the configured device ID is different than any other access devices communicating with the same portal authentication server.

Examples

# Set the device ID of the device to 0002.0010.100.00.

<Sysname> system-view

[Sysname] portal device-id 0002.0010.100.00

portal domain

Use portal domain to configure a portal authentication domain on an interface or a service template. All portal users accessing through the interface or service template must use the authentication domain.

Use undo portal domain to delete the configured portal authentication domain.

Syntax

portal [ ipv6 ] domain domain-name

undo portal [ ipv6 ] domain

Default

No portal authentication domain is configured.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an authentication domain for IPv6 portal users. Do not specify this keyword for IPv4 portal users.

domain-name: Specifies an ISP authentication domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

You can specify both an IPv4 portal authentication domain and an IPv6 portal authentication domain on an interface or on a service template.

Do not specify the ipv6 keyword for IPv4 portal users.

Examples

# Configure the authentication domain for IPv4 portal users as my-domain on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal domain my-domain

Related commands

display portal

portal dual-ip enable

Use portal dual-ip enable to enable dual IP feature for single-stack portal users in remote portal authentication.

Use undo portal dual-ip enable to disable dual IP feature for single-stack portal users in remote portal authentication.

Syntax

portal dual-ip enable

undo portal dual-ip enable

Default

The dual IP feature is disabled for single-stack portal users in remote portal authentication.

Views

Interface view

Service template view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to carry both the IPv4 address and IPv6 address of a single-stack portal user in the authentication requests during remote portal authentication. If the device does not obtain the IPv4 or IPv6 address of a portal user, it will not carry the IPv4 or IPv6 address in authentication requests for the user.

This feature is applicable only to RADIUS-based remote portal authentication.

Some RADIUS server requires that both IPv4 and IPv6 addresses of portal users must be carried in portal authentication requests. To avoid authentication failure, enable this feature for single-stack portal users when such RADIUS server is used.

Examples

# Enable the dual IP feature on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal dual-ip enable

# Enable the dual IP feature on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal dual-ip enable

portal dual-stack enable

Use portal dual-stack enable to enable the portal dual-stack feature.

Use undo portal dual-stack enable to disable the portal dual-stack feature.

Syntax

portal dual-stack enable

undo portal dual-stack enable

Default

The portal dual-stack feature is disabled.

Views

Interface view

Service template view

Predefined user roles

network-admin

Usage guidelines

The portal dual-stack feature enables portal users to access both IPv4 and IPv6 networks after passing one type (IPv4 or IPv6) of portal authentication.

Only direct portal authentication supports this feature.

Examples

# Enable the portal dual-stack feature on server template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal dual-stack enable

Related commands

portal dual-stack traffic-separate enable

portal dual-stack traffic-separate enable

Use portal dual-stack traffic-separate enable to enable separate IPv4 and IPv6 traffic statistics for dual-stack portal users.

Use undo portal dual-stack traffic-separate enable to disable separate IPv4 and IPv6 traffic statistics for dual-stack portal users.

Syntax

portal dual-stack traffic-separate enable

undo portal dual-stack traffic-separate enable

Default

Separate IPv4 and IPv6 traffic statistics is disabled for dual-stack portal users. The device collects IPv4 and IPv6 traffic statistics collectively.

Views

Interface view

Service template view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to separately collect IPv4 traffic statistics and IPv6 traffic statistics for a dual-stack portal user. Then, the AAA server can separately perform accounting on IPv4 traffic and IPv6 traffic of the user.

For this feature to take effect, you must enable the portal dual-stack feature.

This command has a higher priority over the accounting dual-stack command in ISP domain view. For more information about the accounting dual-stack command, see "AAA commands."

Examples

# Enable separate IPv4 and IPv6 traffic statistics for dual-stack portal users on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal dual-stack traffic-separate enable

Related commands

accounting dual-stack

portal dual-stack enable

portal enable (interface view)

Use portal enable to enable portal authentication.

Use undo portal enable to disable portal authentication.

Syntax

portal enable method { direct | layer3 | redhcp }

portal ipv6 enable method { direct | layer3 }

undo portal [ ipv6 ] enable

Default

Portal authentication is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Enables IPv6 portal authentication. Do not specify this keyword for IPv4 portal authentication.

method: Specifies an authentication mode.

direct: Specifies direct authentication.

layer3: Specifies cross-subnet authentication.

redhcp: Specifies re-DHCP authentication.

Usage guidelines

To modify the portal authentication mode, first execute the undo form of this command to disable portal authentication.

Make sure the device supports IPv6 ACL and IPv6 forwarding before you enable IPv6 portal authentication on the interface.

IPv6 portal authentication does not support the re-DHCP authentication mode.

You can enable both IPv4 portal authentication and IPv6 portal authentication on an interface.

Examples

# Enable direct IPv4 portal authentication on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal enable method direct

Related commands

display portal

portal enable (service template view)

Use portal enable to enable direct portal authentication.

Use undo portal enable to disable direct portal authentication.

Syntax

portal [ ipv6 ] enable method direct

undo portal [ ipv6 ] enable

Default

Direct portal authentication is disabled.

Views

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Enables IPv6 direct portal authentication. Do not specify this keyword for IPv4 direct portal authentication.

Usage guidelines

Only direct portal authentication is supported on a service template.

You can enable both IPv4 portal authentication and IPv6 portal authentication on a service template.

Do not enable portal authentication on both an interface and a service template.

Examples

# Enable direct IPv4 portal authentication on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal enable method direct

Related commands

display portal

portal extend-auth domain

Use portal extend-auth domain to specify the authentication domain for third-party authentication.

Use undo portal extend-auth domain to remove the authentication domain for third-party authentication.

Syntax

portal extend-auth domain domain-name

undo portal extend-auth domain

Default

No authentication domain is specified for third-party authentication.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The specified ISP domain takes effect only on IPv4 portal users that use third-party authentication.

Make sure the authentication, authorization, and accounting methods in the authentication domain are none.

Examples

# Specify authentication domain my-domain for third-party authentication on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal extend-auth domain my-domain

Related commands

display portal

portal extend-auth-server

Use portal extend-auth-server to create a third-party authentication server and enter its view, or enter the view of an existing third-party authentication server.

Use undo portal extend-auth-server to delete a third-party authentication server.

Syntax

portal extend-auth-server { facebook | mail | qq | wechat }

undo portal extend-auth-server { facebook | mail | qq | wechat }

Default

No third-party authentication servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

facebook: Specifies the Facebook authentication server.

mail: Specifies the email authentication server.

qq: Specifies the QQ authentication server.

wechat: Specifies the WeChat authentication server.

Usage guidelines

The device supports using a third-party portal authentication server for portal authentication. A portal user can use a third-party account instead of a portal account to perform portal authentication. If the user passes third-party authentication, the third-party server notifies the third-party authentication success of the user to the device. Then, the device interacts with the local portal Web service to complete the remaining process of portal authentication.

Only direct portal authentication that uses a local portal Web portal service supports third-party authentication.

Examples

# Create a QQ authentication server and enter its view.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq]

# Create an email authentication server and enter its view.

<Sysname> system-view

[Sysname] portal extend-auth-server mail

[Sysname-portal-extend-auth-server-mail]

# Create a WeChat authentication server and enter its view.

<Sysname> system-view

[Sysname] portal extend-auth-server wechat

[Sysname-portal-extend-auth-server-wechat]

# Create a Facebook authentication server and enter its view.

<Sysname> system-view

[Sysname] portal extend-auth-server facebook

[Sysname-portal-extend-auth-server-fb]

Related commands

display portal extend-auth-server

portal fail-permit server

Use portal fail-permit server to enable the portal fail-permit feature for a portal authentication server.

Use undo portal fail-permit server to disable the portal fail-permit feature for the portal authentication server.

Syntax

portal [ ipv6 ] fail-permit server server-name

undo portal [ ipv6] fail-permit server

Default

Portal fail-permit is disabled for the portal authentication server.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 portal authentication server. Do not specify this keyword for an IPv4 portal authentication server.

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

On an interface, you can enable portal fail-permit for both the portal authentication server and the portal Web servers.

On an interface enabled with portal fail-permit for a portal authentication server and portal Web servers, portal authentication on the interface is disabled in either of the following conditions:

·     All portal Web servers are unreachable.

·     The specified portal authentication server is unreachable.

Portal authentication resumes on the interface when the specified portal authentication server and a minimum of one portal Web server becomes reachable. After portal authentication resumes, unauthenticated portal users need to pass authentication to access network resources. Portal users who have passed authentication can continue accessing network resources.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable portal fail-permit for portal authentication server pts1 on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal fail-permit server pts1

Related commands

display portal

portal fail-permit web-server

Use portal fail-permit web-server to enable the portal fail-permit feature for portal Web servers.

Use undo portal fail-permit web-server to disable the portal fail-permit feature for portal Web servers.

Syntax

portal [ ipv6 ] fail-permit web-server

undo portal [ ipv6 ] fail-permit web-server

Default

Portal fail-permit is disabled for portal Web servers.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 portal Web servers. To specify IPv4 portal Web servers, do not specify this keyword.

Usage guidelines

Before you configure this feature for a service template, make sure the service template is disabled.

On an interface enabled with portal fail-permit for a portal authentication server and portal Web servers, portal authentication on the interface is disabled in either of the following conditions:

·     All portal Web servers are unreachable.

·     The specified portal authentication server is unreachable.

Portal authentication resumes on the interface when the specified portal authentication server and a minimum of one portal Web server becomes reachable. After portal authentication resumes, unauthenticated portal users need to pass authentication to access network resources. Portal users who have passed authentication can continue accessing network resources.

On a service template enabled with fail-permit for a portal authentication server and portal Web servers, portal authentication on the service template is disabled in either of the following conditions:

·     All portal Web servers are unreachable.

·     The specified portal authentication server is unreachable.

Portal authentication resumes on the service template when the specified portal authentication server and a minimum of one portal Web server becomes reachable. After portal authentication resumes, unauthenticated portal users need to pass authentication to access network resources. Portal users who have passed authentication can continue accessing network resources.

Examples

# Enable portal fail-permit for the portal Web servers on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal fail-permit web-server

# Enable portal fail-permit for the portal Web servers on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal fail-permit web-server

Related commands

display portal

portal forbidden-rule

Use portal forbidden-rule to configure a portal-forbidden rule.

Use undo portal forbidden-rule to delete portal-forbidden rules.

Syntax

portal forbidden-rule rule-number [ source { ip { ipv4-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | ssid ssid-name } * ] destination { host-name | ip { ipv4-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] }

portal forbidden-rule rule-number [ source { ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] | ssid ssid-name } * ] destination { host-name | ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] }

undo portal forbidden-rule { rule-number | all }

Default

No portal-forbidden rules are configured.

Views

System view

Predefined user roles

network-admin

Parameters

rule-number: Specifies the number of a portal-forbidden rule. The value range for this argument os 0 to 4294967295.

source: Specifies the source information.

ip ipv4-address: Specifies an IPv4 address.

{ mask-length | mask }: Specifies the subnet mask of the IPv4 address. The mask-length argument represents the length of a subnet mask, in the range of 0 to 32. The mask argument represents a subnet mask in dotted decimal notation.

ip any: Specifies any IPv4 address.

tcp tcp-port-number: Specifies a TCP port number in the range of 0 to 65535.

udp udp-port-number: Specifies a UDP port number in the range of 0 to 65535.

ipv6 ipv6-address: Specifies an IPv6 address.

prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.

ipv6 any: Specifies any IPv6 address.

ssid ssid-name: Specifies an SSID by its name, a case-sensitive string of 1 to 32 characters.

host-name: Specifies a destination host by its name, a case-insensitive string of 1 to 253 characters. Valid characters include letters, digits, hyphens (-), underscores (_), and dots (.). The host name cannot be i, ip, ipv, or ipv6.

all: Specifies all portal-forbidden rules.

Usage guidelines

Portal-forbidden rules are used to filter user packets from the specified sources or destined for the specified destinations. The device drops user packets that match the portal-forbidden rules.

Portal-forbidden rules take effect only when portal authentication is enabled.

In a portal-forbidden rule, the source and destination IP addresses must be of the same IP type, and the source and destination ports must be of the same transport protocol type.

You can configure multiple portal-forbidden rules.

If the source or destination information in a portal-free rule and that in a portal-forbidden rule overlap, the portal-forbidden rule takes effect.

If you specify a destination host name in a portal-forbidden rule, the device drops users' DNS query packets for the specified host name. In addition, if a DNS server is correctly configured on the device, the device also drops user packets destined for the IP address resolved from the specified host name. If the DNS server is not correctly configured, the rule does not take effect on user packets destined for that IP address.

Examples

# Configure portal-forbidden rule 10 to prohibit portal users from accessing website www.xyz.com.

<Sysname> system-view

[Sysname] portal forbidden-rule 10 source ip any destination www.xyz.com

# Configure portal-forbidden rule 12 to prohibit the portal user with IP address 1.1.1.1/32 from accessing IP address 2.2.2.2/32.

<Sysname> system-view

[Sysname] portal forbidden-rule 12 source ip 1.1.1.1 32 destination ip 2.2.2.2 32

Related commands

display portal rule

portal free-all except destination

Use portal free-all except destination to configure an IPv4 portal authentication destination subnet on an interface.

Use undo portal free-all except destination to delete the IPv4 portal authentication destination subnets on the interface.

Syntax

portal free-all except destination ipv4-network-address { mask-length | mask }

undo portal free-all except destination [ ipv4-network-address ]

Default

No IPv4 portal authentication destination subnet is configured on the interface. Portal users must pass portal authentication to access any subnet.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv4-network-address: Specifies an IPv4 portal authentication subnet address.

mask-length: Specifies the subnet mask length for the authentication subnet address, in the range of 0 to 32.

mask: Specifies the subnet mask in dotted decimal format.

Usage guidelines

Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules). The users can access other subnets without portal authentication.

If you do not specify the ipv4-network-address argument in the undo portal free-all except destination command, this commands deletes all IPv4 portal authentication destination subnets on the interface.

Re-DHCP authentication does not support authentication destination subnets.

If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.

You can repeat this command to configure multiple authentication destination subnets.

Examples

# Configure an IPv4 portal authentication destination subnet of 11.11.11.0/24 on VLAN-interface 2. Portal users need to pass authentication to access this subnet and can access other subnets without authentication.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname–Vlan-interface2] portal free-all except destination 11.11.11.0 24

Related commands

display portal

portal free-rule

Use portal free-rule to configure an IP-based portal-free rule.

Use undo portal free-rule to delete portal-free rules.

Syntax

portal free-rule rule-number { destination ip { ipv4-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | source ip { ipv4-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] } * [ interface interface-type interface-number ]

portal free-rule rule-number { destination ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] | source ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] } * [ interface interface-type interface-number ]

undo portal free-rule { rule-number | all }

Default

No IP-based portal-free rule is configured.

Views

System view

Predefined user roles

network-admin

Parameters

rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295.

destination: Specifies the destination information.

source: Specifies the source information.

ip ipv4-address: Specifies an IPv4 address for the portal-free rule.

{ mask-length | mask }: Specifies the subnet mask of the IPv4 address. The value range for the mask-length argument is 0 to 32. The mask argument is in dotted decimal format.

ip any: Represents any IPv4 address.

tcp tcp-port-number: Specifies a TCP port number for the portal-free rule, in the range of 0 to 65535.

udp udp-port-number: Specifies a UDP port number for the portal-free rule, in the range of 0 to 65535.

ipv6 ipv6-address: Specifies an IPv6 address for the portal-free rule.

prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.

ipv6 any: Represents any IPv6 address.

all: Specifies all portal-free rules.

interface interface-type interface-number: Specifies a Layer 3 interface on which the portal-free rule takes effect.

Usage guidelines

You can specify both the source and destination keyword for a portal-free rule. If you specify only one keyword, the other keyword does not act as a filtering criterion.

If you specify both a source port number and a destination port number for a portal-free rule, the two port numbers must belong to the same transport layer protocol.

If you do not specify a Layer 3 interface, the portal-free rule takes effect on all portal-enabled interfaces.

You cannot configure two portal-free rules with the same filtering criteria.

Examples

# Configure an IPv4-based portal-free rule numbered 1 for VLAN-interface 2. In this rule, the source IP address is 10.10.10.1/24, the destination IP address is 20.20.20.1/32, the destination TCP port number is 23.

<Sysname> system-view

[Sysname] portal free-rule 1 destination ip 20.20.20.1 32 tcp 23 source ip 10.10.10.1 24 interface vlan-interface 2

# Configure an IPv6-based portal-free rule numbered 2 for VLAN-interface 2. In this rule, the source IPv6 address is 2000::1/64, the destination IPv6 address is 2001::1/128, the destination TCP port number is 23.

<Sysname> system-view

[Sysname] portal free-rule 2 destination ipv6 2001::1 128 tcp 23 source ipv6 2000::1 64 interface vlan-interface 2

Related commands

display portal rule

portal free-rule description

Use portal free-rule description to configure a description for a portal-free rule.

Use undo portal free-rule description to delete the description of a portal-free rule.

Syntax

portal free-rule rule-number description text

undo portal free-rule rule-number description

Default

No description is configured for a portal-free rule.

Views

System view

Predefined user roles

network-admin

Parameters

rule-number: Specifies a portal-free rule by its rule number. The value range for this argument is 0 to 4294967295.

text: Specifies the description, a case-sensitive string of 1 to 255 characters.

Examples

# Configure a description of This is IT department for portal-free rule 2.

<Sysname> system-view

[Sysname] portal free-rule 2 description This is IT department

portal free-rule destination

Use portal free-rule destination to configure a destination-based portal-free rule.

Use undo portal free-rule to delete portal-free rules.

Syntax

portal free-rule rule-number destination host-name

undo portal free-rule { rule-number | all }

Default

No destination-based portal-free rule is configured.

Views

System view

Predefined user roles

network-admin

Parameters

rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295.

destination: Specifies the destination host.

host-name: Specifies the destination host by its name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, hyphens (-), underscores (_), dots (.), and asterisks (*). The host name string cannot be i, ip, ipv, or ipv6.

all: Specifies all portal-free rules.

Usage guidelines

You can configure a host name in one of the following ways:

·     For exact match—Specify a complete host name. For example, if you configure the host name as abc.com.cn in the portal-free rule, only packets that contain the host name abc.com.cn match the rule. Packets that carry any other host names (such as dfabc.com.cn) do not match the rule.

·     For fuzzy match—Specify a host name by placing the asterisk (*) wildcard character at the beginning or end of the host name string. For example, if you configure the host name as *abc.com.cn, abc*, or *abc*, packets that carry the host name ending with abc.com.cn, starting with abc, or including abc match the rule.

The asterisk (*) wildcard character represents any characters. The device treats multiple consecutive asterisks as one.

The configured host name cannot contain only asterisks (*).

The fuzzy match feature takes effect only on HTTP or HTTPS requests initiated by Web browsers.

You cannot configure two destination-based portal-free rules with the same destination information. Otherwise the system prompts you that the same rule already exists.

Examples

# Configure a destination-based portal-free rule: specify the rule number as 4 and host name as www.h3c.com. This rule allows the portal user who sends the HTTP/HTTPS request that carries the host name www.h3c.com to access network resources without authentication.

<Sysname> system-view

[Sysname] portal free-rule 4 destination www.h3c.com

Related commands

display portal rule

portal free-rule source

Use portal free-rule source to configure a source-based portal-free rule. The filtering criteria include source MAC address, source interface, and source VLAN.

Use undo portal free-rule to delete a specific or all portal-free rules.

Syntax

portal free-rule rule-number source { ap ap-name | { interface interface-type interface-number | mac mac-address | vlan vlan-id } * }

undo portal free-rule { rule-number | all }

Default

No source-based portal-free rules exist.

Views

System view

Predefined user roles

network-admin

Parameters

rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295.

ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-). This option is applicable only when portal authentication is enabled on a service template.

interface interface-type interface-number: Specifies a source interface by its type and number for the portal-free rule.

mac mac-address: Specifies a source MAC address for the portal-free rule, in the form of H-H-H.

vlan vlan-id: Specifies a source VLAN ID for the portal-free rule. This option takes effect only on portal users that access the network through VLAN interfaces.

all: Specifies all portal-free rules.

Usage guidelines

If you specify both the source VLAN and the source Layer 2 interface, the interface must be in the VLAN.

If portal users have come online before source-based portal-free rules are configured, the device keeps accounting on traffic of the users.

Examples

# Configure a source-based portal-free rule: specify the rule number as 3, source MAC address as 1-1-1, and source VLAN ID as 10. This rule allows the portal user whose source MAC address is 1-1-1 from VLAN 10 to access network resources without authentication.

<Sysname> system-view

[Sysname] portal free-rule 3 source mac 1-1-1 vlan 10

# Configure a source-based portal-free rule: specify the rule number as 4 and source AP name as ap10. This rule allows portal users on AP 10 to access network resources without authentication.

<Sysname> system-view

[Sysname] portal free-rule 4 source ap ap10

Related commands

display portal rule

portal host-check enable

Use portal host-check enable to enable validity check on wireless portal clients.

Use undo portal host-check enable to disable validity check on wireless portal clients.

Syntax

portal host-check enable

undo portal host-check enable

Default

Validity check on wireless portal clients is disabled. The device checks wireless portal client validity according to ARP entries only.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, the device checks wireless portal client validity according to ARP entries only. In wireless networks where the AP forwards client traffic, the AC does not have ARP entries for clients. Therefore, the AC cannot check the validity of portal clients by using ARP entries. To ensure that valid users can perform portal authentication, you must enable wireless client validity check on the AC.

This feature enables the AC to validate a client by looking up the client information in the WLAN snooping table, DHCP snooping table, and ARP table. If the client information exists, the AC determines the client to be valid for portal authentication.

Examples

# Enable validity check on wireless portal clients.

<Sysname> system-view

[Sysname] portal host-check enable

portal idle-cut dhcp-capture enable

Use portal idle-cut dhcp-capture enable to enable DHCP packet capture to detect online status of portal users by capturing DHCP packets of the portal users.

Use undo portal idle-cut dhcp-capture enable to disable DHCP packet capture.

Syntax

portal idle-cut dhcp-capture enable

undo portal idle-cut dhcp-capture enable

Default

DHCP packet capture is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the AC to detect the online status of portal users by capturing DHCP packets of the portal users.

When this feature is enabled, the AC captures DHCP packets between a portal user and the DHCP server and obtains the IP address lease information of the user. The AC then detects the online status of the portal user as follows:

·     If the AC captures a DHCP lease renewal packet from the portal user before the lease expires, the AC determines that the portal user is online.

·     If no DHCP lease renewal packet is captured before the lease expires, the AC forcibly logs out the portal user.

For more information about DHCP packets, see DHCP configuration in Network Connectivity Configuration Guide.

The timeout time of the DHCP packet capture timer is the same as the IP address lease time in DHCP packets. This timer resets each time a DHCP packet is captured.

Examples

# Enable DHCP packet capture to detect online status of portal users.

<Sysname> system-view

[Sysname] portal idle-cut dhcp-capture enable

portal ipv6 free-all except destination

Use portal ipv6 free-all except destination to configure an IPv6 portal authentication destination subnet on an interface.

Use undo portal ipv6 free-all except destination to delete IPv6 portal authentication destination subnets on the interface.

Syntax

portal ipv6 free-all except destination ipv6-network-address prefix-length

undo portal ipv6 free-all except destination [ ipv6-network-address ]

Default

No IPv6 portal authentication destination subnet is configured on the interface. Portal users must pass portal authentication to access any IPv6 subnet.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-network-address: Specifies an IPv6 portal authentication destination subnet.

prefix-length: Specifies the prefix length of the IPv6 subnet, in the range of 0 to 128.

Usage guidelines

Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules). The users can access other subnets without portal authentication.

If you do not specify the ipv6-network-address argument in the undo portal ipv6 free-all except destination command, this command deletes all IPv6 portal authentication destination subnets on the interface.

Re-DHCP authentication does not support authentication destination subnets.

If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.

You can repeat this command to configure multiple authentication destination subnets.

Examples

# Configure an IPv6 portal authentication destination subnet of 1::2/16 on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname–Vlan-interface2] portal ipv6 free-all except destination 1::2 16

Related commands

display portal

portal ipv6 layer3 source

Use portal ipv6 layer3 source to configure an IPv6 portal authentication source subnet on an interface.

Use undo portal ipv6 layer3 source to delete IPv6 portal authentication source subnets on an interface.

Syntax

portal ipv6 layer3 source ipv6-network-address prefix-length

undo portal ipv6 layer3 source [ ipv6-network-address ]

Default

No IPv6 portal authentication source subnet is configured on the interface. Portal users from any IPv6 subnet must pass portal authentication.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-network-address: Specifies an IPv6 portal authentication source subnet address.

prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.

Usage guidelines

With IPv6 authentication source subnets configured, only packets from IPv6 users on the authentication source subnets can trigger portal authentication. If an unauthenticated IPv6 user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.

If you do not specify the ipv6-network-address argument in the undo portal ipv6 layer3 source command, this command deletes all IPv6 portal authentication source subnets on the interface.

Only cross-subnet authentication supports authentication source subnets.

If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.

Examples

# Configure an IPv6 portal authentication source subnet of 1::1/16 on VLAN-interface 2. Only portal users from subnet 1::1/16 trigger portal authentication.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname–Vlan-interface2] portal ipv6 layer3 source 1::1 16

Related commands

display portal

portal ipv6 free-all except destination

portal ipv6 user-detect

Use portal ipv6 user-detect to enable online detection of IPv6 portal users.

Use undo ipv6 portal user-detect to disable online detection of IPv6 portal users.

Syntax

portal ipv6 user-detect type { icmpv6 | nd } [ retry retries ] [ interval interval ] [ idle time ]

undo portal ipv6 user-detect

Default

Online detection of IPv6 portal users is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

type: Specifies the detection type.

icmpv6: Specifies ICMPv6 detection.

nd: Specifies ND detection.

retry retries: Specifies the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.

interval interval: Specifies a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds.

idle time: Specifies the user idle timeout in the range of 60 to 3600 seconds. The default idle timeout is 180 seconds. When the timeout expires, online detection of portal users is started.

Usage guidelines

If the device receives no packets from a portal user within the idle time, the device detects the user's online status as follows:

·     ICMPv6 detection—Sends ICMPv6 requests to the user at configurable intervals to detect the user status.

¡     If the device receives a reply within the maximum number of detection attempts, it considers that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires.

¡     If the device receives no reply after the maximum number of detection attempts, the device logs out the user.

·     ND detection—Sends ND requests to the user and detects the ND entry status of the user at configurable intervals.

¡     If the ND entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ND entry. Then the device resets the idle timer and repeats the detection process when the timer expires.

¡     If the ND entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user.

Direct authentication and re-DHCP authentication support both ND detection and ICMPv6 detection. Cross-subnet authentication only supports ICMPv6 detection.

If the access device filters out ICMPv6 packets, ICMPv6 detection might fail and result in the logout of portal users. Make sure the access device does not block ICMPv6 packets before you enable ICMPv6 detection on an interface.

Examples

# Enable online detection of IPv6 portal users on VLAN-interface 100. Configure the detection type as ND, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal ipv6 user-detect type nd retry 5 interval 10 idle 300

Related commands

display portal

portal layer3 source

Use portal layer3 source to configure an IPv4 portal authentication source subnet.

Use undo portal layer3 source to delete IPv4 portal authentication source subnets.

Syntax

portal layer3 source ipv4-network-address { mask-length | mask }

undo portal layer3 source [ ipv4-network-address ]

Default

No IPv4 portal authentication source subnet is configured. Portal users from any IPv4 subnet must pass portal authentication.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv4-network-address: Specifies an IPv4 portal authentication source subnet address.

mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32.

mask: Specifies the subnet mask in dotted decimal format.

Usage guidelines

With IPv4 authentication source subnets configured, only packets from IPv4 users on the authentication source subnets can trigger portal authentication. If an unauthenticated IPv4 user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.

If you do not specify the ipv4-network-address argument in the undo portal layer3 source command, this command deletes all IPv4 portal authentication source subnets on the interface.

Only cross-subnet authentication supports authentication source subnets.

If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.

Examples

# Configure an IPv4 portal authentication source subnet of 10.10.10.0/24 on VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname–Vlan-interface2] portal layer3 source 10.10.10.0 24

Related commands

display portal

portal free-all except destination

portal local-web-server

Use portal local-web-server create an HTTP- or HTTPS-based local portal Web service and enter its view, or enter the view of the existing HTTP- or HTTPS-based local portal Web service.

Use undo portal local-web-server to delete the HTTP- or HTTPS-based local portal Web service.

Syntax

portal local-web-server { http | https [ ssl-server-policy policy-name ] [ tcp-port port-number ] }

undo portal local-web-server { http | https }

Default

No local portal Web services exist.

Views

System view

Predefined user roles

network-admin

Parameters

http: Specifies the HTTP-based local portal Web service, which uses HTTP to exchange authentication information with clients.

https: Specifies the HTTPS-based local portal Web service, which uses HTTPS to exchange authentication information with clients.

ssl-server-policy policy-name: Specifies an existing SSL server policy for HTTPS. The policy name is a case-insensitive string of 1 to 31 characters.

tcp-port port-number: Specifies the listening TCP port number for the HTTPS-based local portal Web service. The value range for the port-number argument is 1 to 65535. The default port number is 443.

Usage guidelines

In the local portal Web service, the access device also acts as the portal Web server and the portal authentication server. No external portal Web server and portal authentication server are needed.

For an interface to use the local portal Web service, the URL of the portal Web server specified for the interface must meet the following requirements:

·     The IP address in the URL must be a local IP address on the device.

·     The URL must be ended with /portal/. For example: http://1.1.1.1/portal/.

You cannot delete an SSL server policy by using the undo ssl server-policy command when the policy is associated with HTTPS.

To specify a new SSL server policy for HTTPS, first execute the undo form of this command to delete the existing HTTPS-based local portal Web service.

When you specify the listening TCP port number for the HTTPS-based local portal Web service, follow these restrictions and guidelines:

·     For HTTPS-based local portal Web service and other services that use HTTPS:

¡     If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.

¡     If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.

·     Do not configure the HTTPS listening TCP port number as the port number used by a known protocol (except HTTPS) or other service.

·     Do not configure the same TCP port number for HTTP-based local portal Web service and HTTPS-based local portal Web service.

Examples

# Create an HTTP-based local portal Web service and enter its view.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] quit

# Create an HTTPS-based local portal Web service and associate SSL server policy policy1 with the service.

<Sysname> system-view

[Sysname] portal local-web-server https ssl-server-policy policy1

[Sysname-portal-local-websvr-https] quit

# Change the SSL server policy to policy2.

[Sysname] undo portal local-web-server https

[Sysname] portal local-web-server https ssl-server-policy policy2

[Sysname-portal-local-websvr-https] quit

# Create an HTTPS-based local portal Web service. In the service, the associated SSL server policy is policy1 and the listening port number is 442.

<Sysname> system-view

[Sysname] portal local-web-server https ssl-server-policy policy1 tcp-port 442

[Sysname-portal-local-websvr-https] quit

Related commands

default-logon-page

portal local-web-server

ssl server-policy

portal logout-record enable

Use portal logout-record enable to enable portal user offline recording.

Use undo portal logout-record enable to disable portal user offline recording.

Syntax

portal logout-record enable

undo portal logout-record enable

Default

Portal user offline recording is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to save all portal user offline records and to periodically send the records to the server.

Examples

# Enable portal user offline recording.

<Sysname> system-view

[Sysname] portal logout-record enable

Related commands

display portal logout-record

portal logout-record export

Use portal logout-record export to export portal user offline records to a path.

Syntax

portal logout-record export url url-string [ start-time start-date start-time end-time end-date end-time ]

Views

System view

Predefined user roles

network-admin

Parameters

url url-string: Specifies the URL to which portal user offline records are exported. The URL is a case-insensitive string of 1 to 255 characters.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

Usage guidelines

The device supports FTP, TFTP, and HTTP file transfer methods. Table 32 describes the valid URL format for each method.

Table 32 URL formats

Protocol

URL format

Remarks

FTP

ftp://username[:password]@server-address[:port-number]/file-path

Example: ftp://a:1@1.1.1.1/authfail/

The username and password must be the same as those on the server.

If the server authenticates only the username, no password is required.

TFTP

tftp://server-address[:port-number]/file-path

Example: tftp://1.1.1.1/ autherror/

N/A

HTTP

http://username[:password]@server-address[:port-number]/file-path

Example: http://1.1.1.1/autherror/

The username and password must be the same as those on the server.

If the server authenticates only the username, no password is required.

 

If the server address is an IPv6 address, bracket the IPv6 address to distinguish the IPv6 address from the port number. For example, if the server address is 2001::1 and the port number is 21, the URL is ftp://test:test@[2001::1]/test/.

Examples

# Export all portal user offline records to path tftp://1.1.1.1/record/logout/.

<Sysname> system-view

[Sysname] portal logout-record export url tftp://1.1.1.1/record/logout/

# Export portal user offline records in the time rang of 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/logout/.

<Sysname> system-view

[Sysname] portal logout-record export url tftp://1.1.1.1/record/logout/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00

Related commands

display portal logout-record

portal logout-record enable

reset portal logout-record

portal logout-record max

Use portal logout-record max to set the maximum number of portal user offline records.

Use undo portal logout-record max to restore the default.

Syntax

portal logout-record max number

undo portal logout-record max

Default

The device supports a maximum of 6000 portal user offline records.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of portal user offline records. The value range for this argument is 1 to 6000.

Usage guidelines

When the maximum number of portal user offline records is reached, a new record overwrites the oldest one.

Examples

# Set the maximum number of portal user offline records to 50.

<Sysname> system-view

[Sysname] portal logout-record max 50

Related commands

display portal logout-record

portal mac-trigger-server

Use portal mac-trigger-server to create a MAC binding server and enter its view, or enter the view of an existing MAC binding server.

Use undo portal mac-trigger-server to delete the MAC binding server.

Syntax

portal mac-trigger-server server-name

undo portal mac-trigger-server server-name

Default

No MAC binding servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a MAC binding server name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

After you create a MAC binding server, you can configure MAC binding server parameters, such as the server's IP address and port number.

Examples

# Create the MAC binding server mts and enter its view.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts]

Related commands

display portal mac-trigger-server

portal apply mac-trigger-server

portal max-user

Use portal max-user to set the maximum number of total portal users allowed in the system.

Use undo portal max-user to restore the default.

Syntax

portal max-user max-number

undo portal max-user

Default

The total number of portal users allowed in the system is not limited.

Views

System view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of total portal users in the system. The value range for this argument is 1 to 4294967295.

Usage guidelines

If you configure the maximum total number smaller than the number of current online portal users on the device, this command still takes effect. The online users are not affected by this command, but the system forbids new portal users to log in.

This command sets the maximum number of online IPv4 and IPv6 portal users in all.

Make sure the maximum combined number of IPv4 and IPv6 portal users specified on all interfaces or service templates does not exceed the system-allowed maximum number. Otherwise, the exceeding portal users will not be able to log in to the device.

Examples

# Set the maximum number of online portal users allowed in the system to 100.

<Sysname> system-view

[Sysname] portal max-user 100

Related commands

display portal user

portal { ipv4-max-user | ipv6-max-user }

portal nas-id profile

Use portal nas-id-profile to specify a NAS-ID profile for an interface.

Use undo portal nas-id-profile to restore the default.

Syntax

portal nas-id-profile profile-name

undo portal nas-id-profile

Default

No NAS-ID profile is specified for an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

profile-name: Specifies the name of a NAS-ID profile, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A NAS-ID profile defines the binding relationship between VLANs and NAS-IDs. To configure a NAS-ID profile, use the aaa nas-id profile command. For more information about the aaa nas-id profile command, see "AAA commands."

If an interface is specified with a NAS-ID profile, the interface prefers to use the bindings defined in the profile.

If no NAS-ID profile is specified for an interface or no matching binding is found in the specified profile, the device uses the device name as the interface NAS-ID.

Examples

# Specify the NAS-ID profile aaa for VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal nas-id-profile aaa

Related commands

aaa nas-id profile

portal nas-port-id format

Use portal nas-port-id format to specify the NAS-Port-Id attribute format.

Use undo portal nas-port-id format to restore the default.

Syntax

portal nas-port-id format { 1 | 2 | 3 | 4 }

undo portal nas-port-id format

Default

The format for the NAS-Port-Id attribute is format 2.

Views

System view

Predefined user roles

network-admin

Parameters

1: Uses format 1 for the NAS-Port-Id attribute.

2: Uses format 2 for the NAS-Port-Id attribute.

3: Uses format 3 for the NAS-Port-Id attribute.

4: Uses format 4 for the NAS-Port-Id attribute.

Usage guidelines

The NAS-Port-Id format supported by RADIUS servers varies by vendor. Use this command to specify the format of the NAS-Port-Id attribute in the RADIUS packets sent for portal users to the RADIUS server. The device then automatically constructs a value for the NAS-Port-Id attribute in the specified format to meet the RADIUS server requirements.

Format 1 contains three space-separated strings: interface-type port-location access-node-id. Spaces are not allowed within a string.

·     The interface-type string specifies the interface type of the NAS port. Available options include:

¡     eth—Common Ethernet interface.

¡     trunk—Ethernet trunk interface.

¡     0—The interface type information will be reported by the access node to the BRAS.

·     The port-location string represents the location of the access line on the BRAS. Its format is NAS_slot/NAS_subslot/NAS_port:XPI.XCI.

 

Field

Description

NAS_slot

Slot number of the BRAS, in the range of 0 to 31.

NAS_subslot

Subslot number of the BRAS, in the range of 0 to 31.

NAS_Port

Port number of the BRAS, in the range of 0 to 63.

XPI.XCI

For Ethernet interfaces or Ethernet trunk interfaces:

·     XPI is PVLAN in the range of 0 to 4095. This field is set to 4096 if there is no PVLAN.

·     XCI is CVLAN in the range of 0 to 4095. This field is set to 4096 if the user is not assigned to a VLAN as in the situation where the end user device is directly connected to a BRAS port.

 

For the access node to report its access line information to the BRAS, all fields will be set to 0s except for the XPI and XCI fields.

·     The access-node-id string specifies the attributes the of BRAS. Its format is AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port:ANI_XPI.ANI_XCI, in which the :ANI_XPI.ANI_XCI portion is optional.

 

AccessNodeIdentifier

Identifier description of the access node, a string not longer than 50 characters without spaces.

ANI_rack

Rack number of the access node, in the range of 0 to 15.

ANI_frame

Frame number of the access node, in the range of 0 to 31.

ANI_slot

Slot number of the access node, in the range of 0 to 127.

ANI_subslot

Subslot number of the access node, in the range of 0 to 31.

ANI_port

Port number of the access node, in the range of 0 to 255.

ANI_XPI.ANI_XCI

Optional.

This field is mainly used to carry CPE-side service information, identifying the further service type requirement. For example, use this field to identify specific services in a multi-PVC scenario.

For Ethernet interfaces or Ethernet trunk interfaces:

·     ANI_XPI is PVLAN in the range of 0 to 4095. This field is set to 4096 if there is no PVLAN.

·     ANI_XCI is CVLAN in the range of 0 to 4095. This field is set to 4096 if the user is not assigned to a VLAN as in the situation where the end user device is directly connected to a BRAS port.

 

If the device does not have rack, frame, or subslot information, 0 is padded in the corresponding field.

·     Examples of format 1:

 

NAS-Port-Id

Description

eth 31/31/7:1234.2345 0/0/0/0/0/0

The subscriber interface type is an Ethernet interface.

The slot number is 31, the subslot number is 31, the port number is 7, the PVLAN is 1234, and the CVLAN is 2345.

If there is no PVLAN, 1234 will be replaced with 4096.

eth 31/31/7:4096.2345 0/0/0/0/0/0

The subscriber interface type is Ethernet.

The slot number is 31, the subslot number is 31, the port number is 7, and the VLAN ID is 2345.

eth 31/31/7:4096.2345 guangzhou001/1/31/63/31/127

The subscriber interface type is Ethernet.

The slot number is 31, the subslot number is 31, the port number is 7, and the VLAN ID is 2345.

The access node identifier of the DSLAM is guangzhou001, the rack number is 1, the frame number is 31, the slot number is 63, the subslot number is 31, and the port number is 127.

 

Format 2 is SlotID00IfNOVlanID.

·     SlotIDSlot number, a string of 2 characters.

·     IfNOSlot number, a string of 3 characters.

·     VlanIDVLAN ID, a string of 9 characters.

Format 3 is SlotID00IfNOVlanIDDHCPoption.

·     SlotIDSlot number, a string of 2 characters.

·     IfNOInterface number, a string of 3 characters.

·     VlanIDVLAN ID, a string of 9 characters.

·     DHCPoptionDHCP option 82 is appended for IPv4 users and DHCP option 1 is appended for IPv6 users.

Format 4 is slot=**;subslot=**;port=**;vlanid=**;vlanid2=**.

·     For non-VLAN interfaces, the slot=**;subslot=**;port=**;vlanid=0 format is used.

·     For interfaces that terminate only the outermost VLAN tag, the slot=**;subslot=**;port=**;vlanid=** format is used.

Examples

# Set the format of the NAS-Port-Id attribute to format 1.

<Sysname> system-view

[Sysname] portal nas-port-id format 1

portal nas-port-type

Use portal nas-port-type to specify the NAS-Port-Type value carried in RADIUS requests sent to the RADIUS server.

Use undo portal nas-port-type to restore the default.

Syntax

portal nas-port-type { ethernet | wireless }

undo portal nas-port-type

Default

The NAS-Port-Type value carried in RADIUS requests is the user's access interface type value obtained by the access device.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

ethernet: Specifies the NAS-Port-Type attribute value as Ethernet (number 15).

wireless: Specifies the NAS-Port-Type attribute value as WLAN-IEEE 802.11 (number 19).

Usage guidelines

As the access device, the BAS might not be able to correctly obtain a user's interface type when multiple network devices exist between the BAS and the portal client. For example, the access interface type obtained by the BAS for a wireless portal user might be the type of the wired interface that authenticated the user. For the BAS to send correct user interface type to the RADIUS server, use this command to specify the correct NAS-Port-Type value.

Examples

# On service template service1, specify the NAS-Port-Type value in RADIUS requests sent to the RADIUS server as WLAN-IEEE 802.11.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal nas-port-type wireless

Related commands

display portal interface

portal oauth user-sync interval

Use portal oauth user-sync interval to set the user synchronization interval for portal authentication using OAuth.

Use undo portal oauth user-sync interval to restore the default.

Syntax

portal oauth user-sync interval interval

undo portal oauth user-sync interval

Default

The user synchronization interval is 60 seconds for portal authentication using OAuth.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the user synchronization interval, in seconds. The value for this argument can be 0 or in the range of 60 to 3600.

Usage guidelines

If portal authentication uses OAuth, the device periodically reports user information to the portal authentication server for user synchronization on the server. To disable user synchronization from the device to the portal authentication server, set the user synchronization interval to 0 seconds on the device.

Examples

# Set the user synchronization interval to 120 seconds for portal authentication using OAuth.

<Sysname> system-view

[Sysname] portal oauth user-sync interval 120

portal outbound-filter enable

Use portal outbound-filter enable to enable outgoing packets filtering.

Use undo portal outbound-filter enable to disable outgoing packets filtering.

Syntax

portal [ ipv6 ] outbound-filter enable

undo portal [ ipv6 ] outbound-filter enable

Default

Outgoing packets filtering is disabled.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies outgoing IPv6 packets. If you do not specify this keyword, the command is for outgoing IPv4 packets.

Usage guidelines

When you enable this feature on a portal-enabled interface or service template, the device permits the interface or service template to send the following packets:

·     Packets whose destination IP addresses are IP addresses of authenticated portal users.

·     Packets that match portal-free rules.

Other outgoing packets on the interface or service template are dropped.

Examples

# Enable outgoing packets filtering on service template service1.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal outbound-filter enable

portal packet log enable

Use portal packet log enable to enable logging for portal protocol packets.

Use undo portal packet log enable to disable logging for portal protocol packets.

Syntax

portal packet log enable

undo portal packet log enable

Default

Portal protocol packet logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature logs information about portal protocol packets, including the username, IP address, authentication type, SSID, AP MAC, and packet type. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see System Management Configuration Guide.

Examples

# Enable logging for portal protocol packets.

<Sysname> system-view

[Sysname] portal packet log enable

Related commands

portal redirect log enable

portal user log enable

portal pre-auth domain

Use portal pre-auth domain to specify a preauthentication domain for portal users.

Use undo portal pre-auth domain to restore the default.

Syntax

portal [ ipv6 ] pre-auth domain domain-name

undo portal [ ipv6 ] pre-auth domain

Default

No preauthentication domain is specified for portal users.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users.

domain-name: Specifies an existing ISP domain by its name, a case-insensitive string of 1 to 255 characters. The string cannot contain the following characters: slashes (/), backslashes (\), vertical bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@).

Usage guidelines

After you configure a preauthentication domain on a portal-enabled interface, the device authorizes users on the interface as follows:

1.     After an unauthenticated user obtains an IP address, the user is assigned with authorization attributes configured for the preauthentication domain.

The authorization attributes in a preauthentication domain include ACL, user profile, and CAR.

An unauthenticated user who is authorized with the authorization attributes in a preauthentication domain is called a preauthentication user.

2.     After the user passes portal authentication, the user is assigned with new authorization attributes from the AAA server.

3.     After the user goes offline, the user is reassigned with the authorization attributes in the preauthentication domain.

Make sure you specify an existing ISP domain as a preauthentication domain. If the specified ISP domain does not exist, the device might operate incorrectly. You must delete a preauthentication domain (by using the undo portal [ ipv6 ] pre-auth domain command) and reconfigure it in the following situations:

·     You create the ISP domain after specifying it as the preauthentication domain.

·     You delete the specified ISP domain and then re-create it.

The preauthentication domain takes effect only on portal users with IP addresses assigned by DHCP or DHCPv6.

If you change the preauthentication domain on an interface, the interface uses the new preauthentication domain for both new and existing preauthentication users.

If authorization attributes in the preauthentication domain are modified, the modified attributes take effect only on new preauthentication users. Existing preauthentication users use the original authorization attributes.

If the ACL in the preauthentication domain does not exist or the ACL has no rules, the device does not control user access. Users can access any network resources without passing portal authentication.

For the authorization ACL in the preauthentication domain, the following rules apply:

·     If the ACL does not exist or the destination address permitted by a rule in the ACL is set to any, the device does not control user access. Users can access any network resources without passing portal authentication.

·     If the ACL does not have any rules, the device allows users to access network resources only after the users pass authentication.

·     Do not specify a source address. If you specify a source address, users cannot trigger portal authentication.

If both a preauthentication domain and MAC-trigger authentication are configured on the device, set the free-traffic threshold for MAC-trigger authentication to 0 bytes.

Examples

# Create preauthentication domain abc for VLAN-interface 2.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] portal pre-auth domain abc

Related commands

display portal

portal pre-auth ip-pool

Use portal pre-auth ip-pool to specify a preauthentication IP address pool for portal users.

Use undo portal pre-auth ip-pool to restore the default.

Syntax

portal [ ipv6 ] pre-auth ip-pool pool-name

undo portal [ ipv6 ] pre-auth ip-pool

Default

No preauthentication IP address pool is specified for portal users.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users.

pool-name: Specifies an IP address pool by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You must use this command to specify a preauthentication IP address pool on a portal-enabled interface in the following situation:

·     Portal users access the network through a subinterface of the portal-enabled interface.

·     The subinterface does not have an IP address.

·     Portal users need to obtain IP addresses through DHCP.

DHCP assigns an IP address from the specified IP address pool to a user. Then, the user can use this IP address to perform portal authentication.

The specified IP address pool takes effect only when the direct portal authentication mode is used on the interface.

For the preauthentication IP address pool to take effect, make sure the specified IP address pool exists and has been correctly configured.

Examples

# Specify IPv4 address pool abc as the preauthentication IP address pool for portal users on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal pre-auth ip-pool abc

Related commands

dhcp server ip-pool (Network Connectivity Command Reference)

display portal

ipv6 dhcp pool (Network Connectivity Command Reference)

portal redirect-rule

Use portal redirect-rule destination to configure a destination-based portal redirection rule.

Use undo portal redirect-rule destination to delete a destination-based portal redirection rule.

Syntax

portal redirect-rule destination { host { host-name | ip-address } | ipv6 ipv6-address } [ redirect-url url ]

undo portal redirect-rule destination { host { host-name | ip-address } | ipv6 ipv6-address | all }

Default

Destination-based portal redirection rules with destination IP addresses 10.1.0.6 and 10.168.168.1 exist.

Views

System view

Predefined user roles

network-admin

Parameters

host host-name: Specifies a destination host by its host name, a case-insensitive string of 1 to 253 characters. Valid characters include letters, digits, hyphens (-), underscores (_), and dots (.).

host ip-address: Specifies a destination IPv4 address.

ipv6 ipv6-address: Specifies a destination IPv6 address.

redirect-url url: Specifies the redirection URL. The device will redirect Web requests destined for the specified destination to the specified redirection URL. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters. If you do not specify a redirection URL, the device redirects the user to the redirection URL in a URL redirection match rule (if-match rule) that matches the user's Web request. If no matching if-match rule is found, the device redirects the user to the URL of the portal Web server.

all: Specifies all destination-based portal redirection rules.

Usage guidelines

The device uses destination-based portal redirection rules to perform URL redirection. If the Web request of a portal user matches the specified destination in a redirection rule, the device redirects the user to the URL specified in the redirection rule.

If the Web request of a portal user matches a destination-based portal redirection rule and a URL redirection match rule (configured by using the if-match command), the redirection rule takes effect.

If you specify a host name or IP address in a destination-based portal redirection rule, do not specify a URL that includes the host name or IP address as the redirection URL in another rule. A violation will cause redirect loops.

The system supports a maximum of 10 destination-based portal redirection rules. For the same host or IP address, only one destination-based portal redirection rule is supported.

Examples

# Configure a destination-based portal redirection rule to redirect Web requests destined for host http://www.abc.com.cn to http://192.168.0.1.

<Sysname> system-view

[Sysname] portal redirect-rule destination host www.abc.com.cn redirect-url http://192.168.0.1

Related commands

display portal dns redirect-rule-host

portal redirect log enable

Use portal redirect log enable to enable logging for portal redirect.

Use undo portal redirect log enable to disable logging for portal redirect.

Syntax

portal redirect log enable

undo portal redirect log enable

Default

Portal redirect logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature logs information about portal redirect packets, including the user IP address, MAC address, SSID, BAS IP, and Web server IP address. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see System Management Configuration Guide.

Examples

# Enable logging for portal redirect.

<Sysname> system-view

[Sysname] portal redirect log enable

Related commands

portal packet log enable

portal user log enable

portal redirect max-session per-user

Use portal redirect max-session per-user to set the maximum number of portal redirect sessions for a single user.

Use undo portal redirect max-session per-user to disable logging for portal redirect.

Syntax

portal redirect max-session per-user number

undo redirect max-session per-user

Default

No limit is set on the number of portal redirect sessions for a single user.

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number of portal redirect sessions for a single user, in the range of 1 to 128.

Usage guidelines

If a user client is attacked by malicious software or viruses, it might initiate a large number of portal redirect sessions. You can use this command to limit the number of portal redirect sessions that can be established for a user and limit the portal redirect session processing rate.

The value set by this command applies to the HTTP redirect sessions and HTTPS redirect sessions separately. For example, assume you set the maximum value to 50. Then, the maximum number of portal redirect sessions that can be established per user and that can be processed per second are both 100 (50 for HTTP and 50 for HTTPS).

Examples

# Set the maximum number of portal redirect sessions for a single user to 128.

<Sysname> system-view

[Sysname] portal redirect max-session per-user 128

Related commands

portal redirect max-session

display portal redirect

portal refresh enable

Use portal refresh enable to enable the Rule ARP or ND entry feature for portal clients.

Use undo portal refresh enable to disable the Rule ARP or ND entry feature for portal clients.

Syntax

portal refresh { arp | nd } enable

undo portal refresh { arp | nd } enable

Default

The Rule ARP or ND entry feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

arp: Enables the Rule ARP entry feature.

nd: Enables the Rule ND entry feature.

Usage guidelines

When the Rule ARP or ND entry feature is enabled for portal clients, ARP or ND entries for portal clients are Rule entries after the clients come online. These entries will not age out and will be deleted immediately after the portal clients go offline. If portal clients go offline and then try to come online before these entries are relearned for them, the clients will fail the authentication. In this case, disable this feature so that ARP or ND entries are dynamic entries after the clients come online. The dynamic ARP or ND entries are deleted only when they age out.

Enabling or disabling of this feature does not affect existing Rule ARP or ND entries for portal users.

Examples

# Disable the Rule ARP entry feature for portal clients.

<Sysname> system-view

[Sysname] undo portal refresh arp enable

portal roaming enable

Use portal roaming enable to enable intra-VLAN roaming for portal users.

Use undo portal roaming enable to disable intra-VLAN roaming for portal users.

Syntax

portal roaming enable

undo portal roaming enable

Default

Intra-VLAN roaming is enabled for portal users.

Views

System view

Predefined user roles

network-admin

Usage guidelines

If intra-VLAN roaming is enabled for portal users, an online portal user can access network resources from any Layer 2 port in its local VLAN. If intra-VLAN roaming is disabled for portal users, the portal user can access network resources only from the Layer 2 port on which it passes authentication.

For intra-VLAN roaming to take effect, you must disable the Rule ARP or ND entry feature by using the undo portal refresh { arp | nd } enable command.

Intra-VLAN roaming applies only to portal users that log in from VLAN interfaces.

This command cannot be executed when online users or preauthentication portal users are present on the device.

Examples

# Enable intra-VLAN roaming for portal users.

<Sysname> system-view

[Sysname] portal roaming enable

Related commands

portal refresh enable

portal safe-redirect default-action

Use portal safe-redirect default-action to configure the default action for portal safe-redirect.

Use undo portal safe-redirect default-action to restore the default.

Syntax

portal safe-redirect default-action { forbidden | permit }

undo portal safe-redirect default-action

Default

No default action is configured for portal safe-redirect.

Views

System view

Predefined user roles

network-admin

Parameters

forbidden: Sets the default action to forbid, which drops a packet.

permit: Sets the default action to permit, which permits a packet.

Usage guidelines

The portal safe-redirect default action rule matches URLs that are not permitted or forbidden by portal safe-redirect, and applies the default action to packets containing the matching URLs.

For this command to take effect, make sure the portal safe-redirect feature is enabled.

Portal safe-redirect matches URL information of a Web request packet in the following order:

1.     Matches the HTTP request methods specified for portal safe-redirect.

¡     If the packet does not match a specified HTTP request method, the packet is dropped.

¡     If the packet matches a specified method or no HTTP request methods are specified for portal safe-redirect, the next step applies.

2.     Matches the browser types specified for portal safe-redirect.

¡     If the packet does not match a specified browser type, the packet is dropped.

¡     If the packet matches a specified browser type or no browser types are specified for portal sate-redirect, the next step applies.

3.     Matches the forbidden URLs configured for portal safe-redirect.

¡     If the packet matches a forbidden URL, the packet is dropped.

¡     If the packet does not match a forbidden URL or no forbidden URLs are configured, the next step applies.

4.     Matches the forbidden filename extensions configured for portal safe-redirect.

¡     If the packet matches a forbidden filename extension, the packet is dropped.

¡     If the packet does not match a forbidden filename extension or no forbidden filename extensions are configured for portal safe-redirect, the next step applies.

5.     Matches the permitted URLs configured for portal safe-redirect.

¡     If the packet matches a permitted URL, the packet is permitted.

¡     If the packet does not match a permitted URL or no permitted URLs are configured for portal safe-redirect, the packet is dropped.

6.     Matches the default HTTP request method of portal safe-redirect.

¡     If the packet does not match the default HTTP request method, the packet is dropped.

¡     If the packet matches the default HTTP request method, the next step applies.

7.     Identifies whether browser types are specified portal safe-redirect.

¡     If browser types are specified for portal safe-redirect, the packet is permitted.

¡     If no browser types are specified for portal safe-redirect, the next step applies.

8.     Matches the portal safe-redirect default action rule.

¡     If the packet matches the default action rule, the packet is processed according to the default action.

¡     If the packet does not match the default action rule or the default action is not configured, the next step applies.

9.     Matches the default browser types of portal safe-redirect.

¡     If the packet matches a default browser type, the packet is permitted.

¡     If the packet does not match a default browser type, the packet is dropped.

Examples

# Configure the default action as permit for portal safe-redirect.

<Sysname> system-view

[Sysname] portal safe-redirect default-action permit

Related commands

portal safe-redirect enable

portal safe-redirect forbidden-file

portal safe-redirect forbidden-url

portal safe-redirect method

portal safe-redirect permit-url

portal safe-redirect user-agent

portal safe-redirect enable

Use portal safe-redirect enable to enable the portal safe-redirect feature.

Use undo portal safe-redirect enable to restore the default.

Syntax

portal safe-redirect enable

undo portal safe-redirect enable

Default

The portal safe-redirect feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Portal redirects all HTTP requests except HTTP requests that match portal-free rules to the portal Web server, which might overload the server.

Portal safe-redirect filters HTTP requests by HTTP request method, browser type (in HTTP User Agent), and destination URL, and redirects only the permitted HTTP requests.

As a best practice to avoid server overload and improve security, enable portal safe-redirect on the device.

Examples

# Enable the portal safe-redirect feature.

<Sysname> system-view

[Sysname] portal safe-redirect enable

Related commands

portal safe-redirect forbidden-url

portal safe-redirect method

portal safe-redirect user-agent

portal safe-redirect forbidden-file

Use portal safe-redirect forbidden-file to configure a filename extension forbidden by portal safe-redirect. If the URL of an HTTP request includes the specified filename extension, the device does not redirect the HTTP request.

Use undo portal safe-redirect forbidden-file to delete a portal safe-redirect forbidden filename extension.

Syntax

portal safe-redirect forbidden-file filename-extension

undo portal safe-redirect forbidden-file filename-extension

Default

No forbidden filename extensions are configured. The device redirects HTTP requests regardless of the filename extension in the URL.

Views

System view

Predefined user roles

network-admin

Parameters

filename-extension: Specifies a filename extension forbidden by portal safe-redirect, a case sensitive string of 1 to 16 characters.

Usage guidelines

For this command to take effect, make sure the portal safe-redirect feature is enabled.

You can configure multiple portal safe-redirect forbidden filename extensions.

Examples

# Specify .jpg as a portal safe-redirect forbidden filename extension.

<Sysname> system-view

[Sysname] portal safe-redirect forbidden-file .jpg

Related commands

display portal safe-redirect statistics

portal safe-redirect enable

portal safe-redirect forbidden-url

Use portal safe-redirect forbidden-url to configure a URL forbidden by portal safe-redirect.

Use undo portal safe-redirect forbidden-url to delete a portal safe-redirect forbidden URL.

Syntax

portal safe-redirect forbidden-url user-url-string

undo portal safe-redirect forbidden-url user-url-string

Default

No forbidden URLs are configured. The device can redirect HTTP requests with any URLs.

Views

System view

Predefined user roles

network-admin

Parameters

user-url-string: Specifies a URL forbidden by portal safe-redirect, a case sensitive string of  1 to 256 characters. Valid characters are letters, digits, hyphens (-), underscores (_), and wildcards (asterisks *).

Usage guidelines

For this command to take effect, make sure the portal safe-redirect feature is enabled.

You can repeat this command to configure multiple portal safe-redirect forbidden URLs. The device does not redirect HTTP requests destined for the specified URLs to the portal Web server.

You can configure a forbidden URL in one of the following ways:

·     For exact match—Specify a complete URL. For example, if you configure the URL as abc.com.cn, only Web requests that contain URL abc.com.cn match the rule.

·     For fuzzy match—Specify a URL by placing the asterisk (*) wildcard character at the beginning or end of the URL string. For example, if you configure the URL as *abc.com.cn, abc*, or *abc*, Web requests that carry the URL ending with abc.com.cn, starting with abc, or including abc match the rule.

¡     The asterisk (*) wildcard character represents any characters. The device treats multiple consecutive asterisks as one.

¡     The configured URL cannot contain only asterisks (*).

You cannot configure two forbidden URLs with exactly the same contents.

Examples

# Specify http://www.abc.com as a portal safe-redirect forbidden URL.

<Sysname> system-view

[Sysname] portal safe-redirect forbidden-url http://www.abc.com

Related commands

portal safe-redirect enable

portal safe-redirect method

Use portal safe-redirect method to specify HTTP request methods permitted by portal safe-redirect.

Use undo portal safe-redirect method to delete HTTP request methods permitted by portal safe-redirect.

Syntax

portal safe-redirect method { get | post }*

undo portal safe-redirect method { get | post }*

Default

After portal safe-redirect is enabled, the device redirects only HTTP requests with the GET method.

Views

System view

Predefined user roles

network-admin

Parameters

get: Specifies the GET request method.

post: Specifies the POST request method.

Usage guidelines

After you specify HTTP request methods for portal safe-redirect, the device redirects only the HTTP requests with the specified methods to the portal Web server.

For this command to take effect, make sure the portal safe-redirect feature is enabled.

If you configure this command multiple times, the most recent configuration takes effect.

Examples

# Specify the GET request method for portal safe-redirect.

<Sysname> system-view

[Sysname] portal safe-redirect method get

Related commands

portal safe-redirect enable

portal safe-redirect permit-url

Use portal safe-redirect permit-url to configure a URL permitted by portal safe-redirect.

Use undo portal safe-redirect permit-url to delete a portal safe-redirect permitted URL.

Syntax

portal safe-redirect permit-url user-url-string

undo portal safe-redirect permit-url user-url-string

Default

The device can redirect Web requests with any URLs.

Views

System view

Predefined user roles

network-admin

Parameters

user-url-string: Specifies a URL permitted by portal safe-redirect, a case sensitive string of 1 to 256 characters. Valid characters are letters, digits, hyphens (-), underscores (_), and wildcards (asterisks *).

Usage guidelines

For this command to take effect, make sure the portal safe-redirect feature is enabled.

You can repeat this command to configure multiple portal safe-redirect permitted URLs.

You can configure a permitted URL in one of the following ways:

·     For exact match—Specify a complete URL. For example, if you configure the URL as abc.com.cn, only Web requests that contain URL abc.com.cn match the rule.

·     For fuzzy match—Specify a URL by placing the asterisk (*) wildcard character at the beginning or end of the URL string. For example, if you configure the URL as *abc.com.cn, abc*, or *abc*, Web requests that carry the URL ending with abc.com.cn, starting with abc, or including abc match the rule.

¡     The asterisk (*) wildcard character represents any characters. The device treats multiple consecutive asterisks as one.

¡     The configured URL cannot contain only asterisks (*).

You cannot configure two permitted URLs with exactly the same contents.

Examples

# Specify http://www.abc.com as a portal safe-redirect permitted URL.

<Sysname> system-view

[Sysname] portal safe-redirect permit-url http://www.abc.com

Related commands

portal safe-redirect enable

portal safe-redirect action

portal safe-redirect user-agent

Use portal safe-redirect user-agent to specify a browser type for portal safe-redirect.

Use undo portal safe-redirect user-agent to delete a browser type for portal safe-redirect.

Syntax

portal safe-redirect user-agent user-agent-string

undo portal safe-redirect user-agent user-agent-string

Default

After portal safe-redirect is enabled, the device redirects the HTTP packets matching any browser types in Table 33.

Views

System view

Predefined user roles

network-admin

Parameters

user-agent-string: Specifies a browser type in HTTP User Agent, a case-sensitive string of 1 to 255 characters. You can specify the browser types as shown in Table 33.

Table 33 Browser type and description

Browser type

Description

Safari

Apple browser

Chrome

Google browser

Firefox

Firefox browser

UC

UC browser

QQBrowser

QQ browser

LBBROWSER

Cheetah browser

TaoBrowser

Taobao browser

Maxthon

Maxthon browser

BIDUBrowser

Baidu browser

MSIE 10.0

Microsoft IE 10.0 browser

MSIE 9.0

Microsoft IE 9.0 browser

MSIE 8.0

Microsoft IE 8.0 browser

MSIE 7.0

Microsoft IE 7.0 browser

MSIE 6.0

Microsoft IE 6.0 browser

MetaSr

Sogou browser

 

Usage guidelines

You can execute this command for multiple times to specify multiple browser types. The device redirects an HTTP request only when its User-Agent string contains a specified browser type.

For this command to take effect, make sure the portal safe-redirect feature is enabled.

Examples

# Specify browser types Chrome and Safari for portal safe-redirect.

<Sysname> system-view

[Sysname] portal safe-redirect user-agent Chrome

[Sysname] portal safe-redirect user-agent Safari

Related commands

portal safe-redirect enable

portal server

Use portal server to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server.

Use undo portal server to delete the specified portal authentication server.

Syntax

portal server server-name

undo portal server server-name

Default

No portal authentication servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

In portal authentication server view, you can configure the following parameters and features for the portal authentication server:

·     IP address of the server.

·     Destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.

·     Pre-shared key for communication between the access device and the server.

·     Server detection feature.

You can configure multiple portal authentication servers for an access device.

Examples

# Create the portal authentication server pts and enter its view.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts]

Related commands

display portal server

portal temp-pass enable

Use portal temp-pass enable to enable portal temporary pass and set the temporary pass period.

Use undo portal temp-pass enable to disable portal temporary pass.

Syntax

portal temp-pass [ period period-value ] enable

undo portal temp-pass enable

Default

Portal temporary pass is disabled.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

period period-value: Specifies the temporary pass period. The value range for the period-value argument is 10 to 3600 seconds, and the default is 30 seconds.

Usage guidelines

This command is applicable only in direct portal authentication.

Typically, a portal user cannot access the network before passing portal authentication. This feature allows a user to access the Internet temporarily if the user uses a WeChat account to perform portal authentication. During the temporary pass period, the user provides WeChat authentication information to the WeChat server for the server to interact with the access device to finish portal authentication.

Examples

# On service template service1, enable portal temporary pass and set the temporary pass period to 25 seconds.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal temp-pass period 25 enable

Related commands

display portal

portal traffic-accounting disable

Use portal traffic-accounting disable to disable traffic accounting for portal users.

Use undo portal traffic-accounting disable to restore the default.

Syntax

portal traffic-accounting disable

undo portal traffic-accounting disable

Default

Traffic accounting for portal users is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The accounting server might perform time-based or traffic-based accounting, or it might not perform accounting. If the accounting server does not perform traffic-based accounting, disable traffic accounting for portal users on the device. The device will provide quick accounting for portal users, and the traffic statistics will be imprecise. If the accounting server performs traffic-based accounting, enable traffic accounting for portal users. The device will provide precise traffic statistics for portal users.

Examples

# Disable traffic accounting for portal users.

<Sysname> system-view

[Sysname] portal traffic-accounting disable

portal traffic-backup threshold

Use portal traffic-backup threshold to set the user traffic backup threshold.

Use undo portal traffic-backup threshold to restore the default.

Syntax

portal traffic-backup threshold value

undo portal traffic-backup threshold

Default

The user traffic backup threshold is 10 MB.

Views

System view

Predefined user roles

network-admin

Parameters

value: Specifies the user traffic backup threshold, in MB. The value range for this argument is 0 to 100000. If you set the threshold to 0 MB, the device backs up user traffic in real time.

Usage guidelines

The device backs up traffic for a user when the user's traffic reaches the user traffic backup threshold. A smaller threshold provides more accurate backup for user traffic. However, when a large number of users exist, a small threshold results in frequent user traffic backups, affecting the user online, offline, and accounting processes. Set a proper threshold to balance between service performance and traffic backup accuracy.

Examples

# Set the user traffic backup threshold to 10240 MB.

<Sysname> system-view

[Sysname] portal traffic-backup threshold 10240

portal url-param source-address code-base64

Use portal url-param source-address code-base64 to enable base64 encoding for the user IP address in redirection URLs.

Use undo url-param source-address code-base64 to disable base64 encoding for the user IP address in redirection URLs.

Syntax

portal url-param source-address code-base64

undo portal url-param source-address code-base64

Default

Base64 encoding is disabled for the user IP address in redirection URLs.

Views

Interface view

Service template view

Predefined user roles

network-admin

Usage guidelines

During OAuth-based local portal WeChat authentication, if the redirection URL for portal users carries a user IP address, the WeChat authentication server might fail to identify the user IP address. This will cause portal authentication page push failure. To resolve this issue, perform this task so the device will perform base64 encoding on the user IP address in redirection URLs. In this way, the WeChat authentication server can parse the redirection URL and can correctly push portal authentication pages.

Use this command only when the following conditions are met:

·     OAuth-based local portal WeChat authentication is used.

·     The user IP address parameter is carried in the URL of a portal Web server by specifying the source-address parameter in the url-parameter command.

Examples

# In service template service1, enable base64 encoding for the user IP address in redirection URLs.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal url-param source-address code-base64

Related commands

url-parameter

portal user log enable

Use portal user log enable to enable logging for portal user logins and logouts.

Use undo portal user log enable to disable logging for portal user logins and logouts.

Syntax

portal user log enable

undo portal user log enable

Default

Portal user login and logout logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature logs information about portal user login and logout events, including the username, IP address, user's MAC address, interface name, VLAN, SSID, AP's MAC address, and reason for login failure. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see System Management Configuration Guide.

Examples

# Enable logging for portal user logins and logouts.

<Sysname> system-view

[Sysname] portal user log enable

Related commands

portal packet log enable

portal redirect log enable

portal user-detect

Use portal user-detect to enable online detection of IPv4 portal users.

Use undo portal user-detect to disable online detection of IPv4 portal users.

Syntax

portal user-detect type { arp | icmp } [ retry retries ] [ interval interval ] [ idle time ]

undo portal user-detect

Default

Online detection of IPv4 portal users is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

type: Specifies the detection type.

arp: Specifies ARP detection.

icmp: Specifies ICMP detection.

retry retries: Specifies the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.

interval interval: Specifies a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds.

idle time: Specifies a user idle timeout in the range of 60 to 3600 seconds. The default idle timeout is 180 seconds. When the timeout expires, online detection of IPv4 portal users is started.

Usage guidelines

If the device receives no packets from a portal user within the configured idle time, the device detects the user's online status as follows:

·     ICMP detection—Sends ICMP requests to the user at configurable intervals to detect the user status.

¡     If the device receives a reply within the maximum number of detection attempts, it considers that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires.

¡     If the device receives no reply after the maximum number of detection attempts, the device logs out the user.

·     ARP detection—Sends ARP requests to the user and detects the ARP entry status of the user at configurable intervals.

¡     If the ARP entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ARP entry. Then the device resets the idle timer and repeats the detection process when the timer expires.

¡     If the ARP entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user.

Direct authentication and re-DHCP authentication support both ARP detection and ICMP detection. Cross-subnet authentication only supports ICMP detection.

If the access device filters out ICMP packets, ICMP detection might fail and result in the logout of portal users. Make sure the access device does not block ICMP packets before you enable ICMP detection on an interface.

Examples

# Enable online detection of IPv4 portal users on VLAN-interface 100. Configure the detection type as ARP, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal user-detect type arp retry 5 interval 10 idle 300

Related commands

display portal

portal user-dhcp-only

Use portal user-dhcp-only to allow only users with DHCP-assigned IP addresses to pass portal authentication.

Use undo portal user-dhcp-only to restore the default.

Syntax

portal [ ipv6 ] user-dhcp-only

undo portal [ ipv6 ] user-dhcp-only

Default

Both users with DHCP-assigned IP addresses and users with static IP addresses can pass portal authentication to come online.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users.

Usage guidelines

With this feature enabled, users with static IP addresses cannot pass portal authentication to come online.

To ensure that IPv6 users can pass portal authentication when this feature is enabled, disable the temporary IPv6 address feature on terminal devices. Otherwise, IPv6 users will use temporary IPv6 addresses to access the IPv6 network and will fail portal authentication.

Examples

# Allow only users with DHCP-assigned IP addresses on service template service1 to pass portal authentication.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal user-dhcp-only

Related commands

display portal

portal user-log traffic-separate

Use portal user-log traffic-separate to enable separate IPv4 and IPv6 traffic statistics in portal user offline logs.

Use undo portal user-log traffic-separate to restore the default.

Syntax

portal user-log traffic-separate

undo portal user-log traffic-separate

Default

IPv4 and IPv6 traffic statistics of portal users are collectively counted as IPv4 traffic statistics in portal user offline logs. No IPv6 traffic statistics is displayed in portal user offline logs.

Views

System view

Predefined user roles

network-admin

Usage guidelines

For single-stack users:

·     If this feature is enabled, both IPv4 and IPv6 traffic statistics are displayed in user offline logs. For IPv4 users, the IPv6 traffic statistics is displayed as 0. For IPv6 users, the IPv4 traffic statistics is displayed as 0.

·     If this feature is disabled, traffic statistics of both IPv4 users and IPv6 users are displayed as IPv4 traffic statistics in portal user offline logs.

For dual-stack users:

·     If this feature is enabled, IPv4 and IPv6 traffic statistics of a user are displayed separately in the user offline logs.

·     If this feature is disabled, IPv4 and IPv6 traffic statistics of a user are collectively counted as IPv4 traffic statistics in portal user offline logs.

Examples

# Enable separate IPv4 and IPv6 traffic statistics in portal user offline logs.

<Sysname> system-view

[Sysname] portal user-log traffic-separate

portal user-logoff after-client-offline enable

Use portal user-logoff after-client-offline enable to enable automatic logout for wireless portal users.

Use undo portal user-logoff after-client-offline enable to disable automatic logout for wireless portal users.

Syntax

portal user-logoff after-client-offline enable

undo portal user-logoff after-client-offline enable

Default

Automatic logout is disabled for wireless portal users. Portal users will not be automatically logged out after the wireless clients are disconnected from the wireless network.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After automatic logout is enabled for wireless portal users, the device will automatically log out a portal user after the user is disconnected from the wireless network.

Examples

# Enable automatic logout for wireless portal users.

<Sysname> system-view

[Sysname] portal user-logoff after-client-offline enable

portal user-logoff ssid-switch enable

Use portal user-logoff ssid-switch enable to enable the device to log out wireless portal users when they switch SSIDs.

Use undo portal user-logoff ssid-switch enable to disable the device from logging out wireless portal users when they switch SSIDs.

Syntax

portal user-logoff ssid-switch enable

undo portal user-logoff ssid-switch enable

Default

The device does not log out wireless portal users when they switch SSIDs and the users stay online.

Views

System view

Predefined user roles

network-admin

Usage guidelines

When an authenticated user switches the SSID to access through another service template associated with the same VLAN with the original service template, the user fails portal authentication.

Use this command to log out wireless portal users on the original service template when they switch SSIDs so that they can pass portal authentication on the new service template.

Examples

# Enable the device to log out wireless portal users when they switch SSIDs.

<Sysname> system-view

[Sysname] portal user-logoff ssid-switch enable

portal web-server

Use portal web-server to create a portal Web server and enter its view, or enter the view of an existing portal Web server.

Use undo portal web-server to delete a portal Web server.

Syntax

portal web-server server-name

undo portal web-server server-name

Default

No portal Web servers exist.

Views

System view

Predefined user roles

network-admin

Parameters

server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters.

Usage guidelines

The portal Web server pushes portal authentication pages to portal users during authentication. The access device redirects HTTP requests of unauthenticated portal users to the portal Web server. In portal Web server view, you can configure the URL and URL parameters for the portal Web server and the portal Web server detection feature.

Examples

# Create the portal Web server wbs and enter its view.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs]

Related commands

display portal web-server

portal apply web-server

portal wifidog user-sync interval

Use portal wifidog user-sync interval to enable user information synchronization and set the synchronization interval for portal authentication using WiFiDog.

Use undo portal wifidog user-sync interval to disable user information synchronization and cancel the synchronization interval setting for portal authentication using WiFiDog.

Syntax

portal wifidog user-sync interval interval

undo portal wifidog user-sync interval

Default

User information synchronization is disabled for portal authentication using WiFiDog.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the user information synchronization interval, in the range of 60 to 1440 minutes.

Usage guidelines

Use this feature when users perform portal authentication using the WiFiDog protocol. This feature enables the device to periodically synchronize user information with the portal server to ensure user information consistency between the device and the portal server.

For this feature to take effect, make sure the type of the portal Web server is Wifidog before you perform this task. To specify the type of the portal Web server, use the server-type command.

Examples

# Enable user information synchronization and set the synchronization interval to 61 minutes for portal authentication using WiFiDog.

<Sysname> system-view

[Sysname] portal wifidog user-sync interval 61

Related commands

server-type

portal { bas-ip | bas-ipv6 }

Use portal { bas-ip | bas-ipv6 } to configure the BAS-IP or BAS-IPv6 attribute carried in the portal packets sent to the portal authentication server.

Use undo portal { bas-ip | bas-ipv6 } to delete the BAS-IP or BAS-IPv6 attribute setting.

Syntax

portal { bas-ip ipv4-address | bas-ipv6 ipv6-address }

undo portal { bas-ip | bas-ipv6 }

Default

The BAS-IP attribute of an IPv4 portal reply packet sent to the portal authentication server is the source IPv4 address of the packet. The BAS-IPv6 attribute of an IPv6 portal reply packet sent to the portal authentication server is the source IPv6 address of the packet.

The BAS-IP attribute of an IPv4 portal notification packet sent to the portal authentication server is the IPv4 address of the packet's outgoing interface. The BAS-IPv6 attribute of an IPv6 portal notification packet sent to the portal authentication server is the IPv6 address of the packet's outgoing interface.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

bas-ip ipv4-address: Specifies BAS-IP for portal packets sent to the portal authentication server. The ipv4-address argument must be the IPv4 address of an interface on the device. It cannot be 0.0.0.0, 1.1.1.1, a class D address, a class E address, or a loopback address.

bas-ipv6 ipv6-address: Specifies BAS-IPv6 for portal packets sent to the portal authentication server. The ipv6-address argument must be the IPv6 address of an interface on the device. It cannot be a multicast address, an all 0 address, or a link-local address.

Usage guidelines

If the device runs Portal 2.0, unsolicited portal packets (such as a logout notification packet) sent to the portal authentication server must carry the BAS-IP attribute. If the device runs Portal 3.0, unsolicited portal packets sent to the portal authentication server must carry the BAS-IP or BAS-IPv6 attribute.

After this command takes effect, the source IP address for unsolicited notification portal packets the device sends to the portal authentication server is the configured BAS-IP or BAS-IPv6. If the BAS IP address is not configured, the source IP address of the packets is the IP address of the packet output interface.

You must configure the BAS-IP or BAS-IPv6 attribute on a portal authentication-enabled interface or service template if the following conditions are met:

·     The portal authentication server is an H3C IMC server or the portal authentication mode on the interface is re-DHCP.

·     The portal device IP address specified on the portal authentication server is not the IP address of the portal packet output interface.

Examples

# On service template service1, configure the BAS-IP attribute as 2.2.2.2 for portal packets sent to the portal authentication server.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] portal bas-ip 2.2.2.2

Related commands

display portal

portal { ipv4-max-user | ipv6-max-user }

Use portal { ipv4-max-user | ipv6-max-user } to set the maximum number of portal users allowed on an interface or a service template.

Use undo portal { ipv4-max-user | ipv6-max-user } to restore the default.

Syntax

portal { ipv4-max-user | ipv6-max-user } max-number

undo portal { ipv4-max-user | ipv6-max-user }

Default

The maximum number of portal users allowed on an interface or a service template is not limited.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of IPv4 or IPv6 portal users allowed on an interface or a service template, in the range of 1 to 4294967295.

Usage guidelines

If the specified maximum number is smaller than the number of current online portal users on the interface or service template, the limit can be set successfully. The limit does not impact the online portal users. However, the device does not allow new portal users to log in from the interface or service template until the number drops down below the limit.

Make sure the maximum combined number of IPv4 and IPv6 portal users specified on all interfaces or service templates does not exceed the system-allowed maximum number. Otherwise, the exceeding portal users will not be able to log in to the device.

Examples

# Set the maximum number of IPv4 portal users to 100 on service template service1.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname–Vlan-interface100] portal ipv4-max-user 100

Related commands

display portal user

portal max-user

redirect-url

Use redirect-url to specify the URL to which portal users are redirected after they pass QQ or Facebook authentication.

Use undo redirect-url to restore the default.

Syntax

redirect-url url-string

undo redirect-url

Default

Portal users are redirected to URLs http://lvzhou.h3c.com/portal/qqlogin.html and http://oauthindev.h3c.com/portal/fblogin.html after they pass QQ authentication and Facebook authentication, respectively.

Views

QQ authentication server view

Facebook authentication server view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL to which portal users are redirected after they pass QQ or Facebook authentication. The URL is a case-sensitive string of 1 to 256 characters.

Usage guidelines

After a portal user passes QQ or Facebook authentication, the user is redirected to the specified webpage to complete portal authentication.

You must enable DNS proxy and specify the IP address of an interface on the device as the DNS server.

Examples

# Configure the device to redirect portal users to URL http://www.abc.com/portal/qqlogin.html after they pass QQ authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] redirect-url http://www.abc.com/portal/qqlogin.html

# Configure the device to redirect portal users to URL http://www.abc.com/portal/qqlogin.html after they pass Facebook authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server qq

[Sysname-portal-extend-auth-server-qq] redirect-url http://www.abc.com/portal/qqlogin.html

Related commands

display portal extend-auth-server

reset portal auth-error-record

Use reset portal auth-error-record to clear portal authentication error records.

Syntax

reset portal auth-error-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all portal authentication error records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

Examples

# Clear all portal authentication error records.

<Sysname> reset portal auth-error-record all

# Clear portal authentication error records of the portal user whose IPv4 address is 11.1.0.1.

<Sysname> reset portal auth-error-record ipv4 11.1.0.1

# Clear portal authentication error records of the portal user whose IPv6 address is 2000::2.

<Sysname> reset portal auth-error-record ipv6 2000::2

# Clear portal authentication error records with the error time in the range of 2016/3/4 14:20 to 2016/3/4 16:23.

<Sysname> reset portal auth-error-record start-time 2016/3/4 14:20 end-time 2016/3/4 16:23

Related commands

display portal auth-error-record

reset portal auth-fail-record

Use reset portal auth-fail-record to clear portal authentication failure records.

Syntax

reset portal auth-fail-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all portal authentication failure records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Clear all portal authentication failure records.

<Sysname> reset portal auth-fail-record all

# Clear portal authentication failure records of the portal user whose IPv4 address is 11.1.0.1.

<Sysname> reset portal auth-fail-record ipv4 11.1.0.1

# Clear portal authentication failure records of the portal user whose IPv6 address is 2000::2.

<Sysname> reset portal auth-fail-record ipv6 2000::2

# Clear portal authentication failure records of the portal user whose username is abc.

<Sysname> reset portal auth-fail-record username abc

# Clear portal authentication failure records with the failure time in the range of 2016/3/4 14:20 to 2016/3/4 16:23.

<Sysname> reset portal auth-fail-record start-time 2016/3/4 14:20 end-time 2016/3/4 16:23

Related commands

display portal auth-fail-record

reset portal captive-bypass statistics

Use reset portal captive-bypass statistics to clear portal captive-bypass packet statistics.

Syntax

reset portal captive-bypass statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear portal captive-bypass packet statistics.

<Sysname> reset portal captive-bypass statistics

Related commands

display portal captive-bypass statistics

reset portal local-binding mac-address

Use reset portal local-binding mac-address to clear local MAC-account binding entries.

Syntax

reset portal local-binding mac-address { mac-address | all }

Views

User view

Predefined user roles

network-admin

Parameters

mac-address: Specifies the MAC address of a portal user, in the format of H-H-H.

all: Specifies all local MAC-account binding entries.

Examples

# Clear all local MAC-account binding entries.

<Sysname> reset portal local-binding mac-address all

Related commands

display portal local-binding mac-address

local-binding aging-time

reset portal logout-record

Use reset portal logout-record to clear portal user offline records.

Syntax

reset portal logout-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }

Views

User view

Predefined user roles

network-admin

Parameters

all: Specifies all portal user offline records.

ipv4 ipv4-address: Specifies the IPv4 address of a portal user.

ipv6 ipv6-address: Specifies the IPv6 address of a portal user.

start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.

username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.

Examples

# Clear all portal user offline records.

<Sysname> reset portal logout-record all

# Clear offline records of the portal user whose IPv4 address is 11.1.0.1.

<Sysname> reset portal logout-record ipv4 11.1.0.1

# Clear offline records of the portal user whose IPv6 address is 2000::2.

<Sysname> reset portal logout-record ipv6 2000::2

# Clear offline records of the portal user whose username is abc.

<Sysname> reset portal logout-record username abc

# Clear portal user offline records with the logout time in the range of 2016/3/4 14:20 to 2016/3/4 16:23.

<Sysname> reset portal logout-record start-time 2016/3/4 14:20 end-time 2016/3/4 16:23

Related commands

display portal logout-record

reset portal packet statistics

Use reset portal packet statistics to clear packet statistics for portal authentication servers.

Syntax

reset portal packet statistics [ extend-auth-server { cloud | facebook | mail | qq | wechat } | mac-trigger-server server-name | server server-name ]

Views

User view

Predefined user roles

network-admin

Parameters

extend-auth-server: Specifies a third-party authentication server by its type.

facebook: Specifies the Facebook authentication server.

cloud: Specifies the cloud authentication server.

mail: Specifies the email authentication server.

qq: Specifies the QQ authentication server.

wechat: Specifies the WeChat authentication server.

mac-trigger-server: Specify a MAC binding server by its name, a case-sensitive string of 1 to 32 characters. If you do not specify a MAC binding server, this command clears packet statistics for the specified portal authentication server.

server server-name: Specifies a normal portal authentication server by its name, a case-sensitive string of 1 to 32 characters. If you do not specify this parameter, this command clears packet statistics for the specified MAC binding server.

Usage guidelines

If you do not specify any parameters, this command clears packet statistics for all portal authentication servers and MAC binding servers.

Examples

# Clear packet statistics for portal authentication server pts.

<Sysname> reset portal packet statistics server pts

# Clear packet statistics for MAC binding server newps.

<Sysname> reset portal packet statistics mac-trigger-server newpt

# Clear packet statistics for the cloud authentication server.

<Sysname> reset portal packet statistics extend-auth-server cloud

Related commands

display portal packet statistics

reset portal redirect session-record

Use reset portal redirect session-record to clear history records about portal redirect sessions.

Syntax

reset portal redirect session-record

Views

User view

Predefined user roles

network-admin

Examples

# Clear history records about portal redirect sessions.

<Sysname> reset portal redirect session-record

Related commands

display portal redirect session-record

reset portal redirect session-statistics

Use reset portal redirect session-statistics to clear summary statistics for portal redirect sessions.

Syntax

reset portal redirect session-statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear summary statistics for portal redirect sessions.

<Sysname> reset portal redirect session-statistics

Related commands

display portal redirect session-statistics

reset portal redirect statistics

Use reset portal redirect statistics to reset portal redirect packet statistics.

Syntax

reset portal redirect statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear portal redirect packet statistics.

<Sysname> reset portal redirect statistics

Related commands

display portal safe-redirect statistics

reset portal safe-redirect statistics

Use reset portal safe-redirect statistics to clear portal safe-redirect packet statistics.

Syntax

reset portal safe-redirect statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear portal safe-redirect packet statistics.

<Sysname> reset portal safe-redirect statistics

Related commands

display portal safe-redirect statistics

server-detect (portal authentication server view)

Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status.

Use undo server-detect to disable portal authentication server detection.

Syntax

server-detect [ timeout timeout ] { log | trap } *

undo server-detect

Default

Portal authentication server detection is disabled.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

timeout timeout: Specifies the detection timeout in the range of 10 to 3600 seconds. The default is 60 seconds.

log: Enables the device to send a log message when reachability status of the portal authentication server changes. The log message contains the name, the original state, and the current state of the portal authentication server.

trap: Enables the device to send a trap message to the NMS when reachability status of the portal authentication server changes. The trap message contains the name and the current state of the portal authentication server.

Usage guidelines

The portal authentication server detection feature takes effect only when the device has a portal-enabled interface.

To test server reachability by detecting heartbeat packets, you must enable the server heartbeat feature on the portal authentication server. Only the IMC portal authentication server supports sending heartbeat packets.

The detection timeout configured on the device must be greater than the server heartbeat interval configured on the portal authentication server.

If the device receives portal packets from the portal authentication server before the detection timeout expires and verifies the correctness of the packets, the device considers the portal authentication server is reachable. Otherwise, the device considers the portal authentication server is unreachable.

Examples

# Enable server detection for the portal authentication server pts:

·     Set the detection timeout to 600 seconds.

·     Configure the device to send a log message if the server reachability status changes.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-detect timeout 600 log

Related commands

portal server

server-detect (portal Web server view)

Use server-detect to enable portal Web server detection.

Use undo server-detect to disable portal Web server detection.

Syntax

server-detect [ interval interval ] [ retry retries ] { log | trap } *

undo server-detect

Default

Portal Web server detection is disabled.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

interval interval: Specifies a detection interval in the range of 1 to 1200 seconds. The default is 5 seconds. As a best practice, set the detection interval to a value no less than 5.

retry retries: Specifies the maximum number of consecutive detection failures, in the range of 1 to 10. The default is 3. If the number of consecutive failed detections reaches this threshold, the device considers the server as unreachable.

log: Enables the device to send a log message when reachability status of the portal Web server changes. The log message contains the name, the original state, and the current state of the portal Web server.

trap: Enables the device to send a trap message to the NMS when reachability status of the portal Web server changes. The trap message contains the name and the current state of the portal Web server.

Usage guidelines

The access device performs server detection independently. No configuration on the portal Web server is required for the detection.

The portal Web server detection feature takes effect only when the URL of the portal Web server is specified and the device has a portal-enabled interface.

Examples

# Enable server detection for the portal Web server wbs:

·     Set the detection interval to 600 seconds.

·     Set the maximum number of consecutive detection failures to 2.

·     Configure the device to send a log message and a trap massage after server reachability status changes.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] server-detect interval 600 retry 2 log trap

Related commands

portal web-server

server-detect url

Use server-detect url to configure the URL and the type for portal Web server detection.

Use undo server-detect url to restore the default.

Syntax

server-detect url string [ detect-type { http | tcp } ]

undo server-detect url

Default

The URL for portal Web server detection is the URL of the portal Web server. The type of portal Web server detection is TCP detection.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

string: Specifies a URL to detect the reachability of the portal Web server. The URL is a case-sensitive string of 1 to 256 characters.

detect-type: Specifies the type of portal Web server detection. If this keyword is not specified, TCP detection is used.

tcp: Specifies the TCP detection.

http: Specifies the HTTP detection.

Usage guidelines

This configuration takes effect only when portal Web server detection is enabled.

Examples

# Configure http://www.test.com/portal as the portal Web server detection URL.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] server-detect url http://www.test.com/portal

# Configure http://www.test.com/portal as the portal Web server detection URL and specify TCP as the detection type.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] server-detect url http://www.test.com/portal detect-type tcp

# Configure http://www.test.com/portal as the portal Web server detection URL and specify HTTP as the detection type.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] server-detect url http://www.test.com/portal detect-type http

Related commands

server-detect (portal Web server view)

server-register

Use server-register to configure the device to periodically send register packets to the portal authentication server.

Use undo server-register to restore the default.

Syntax

server-register [ interval interval ]

undo server-register

Default

The device does not send register packets to a portal authentication server.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

interval interval: Specifies the interval at which the device sends register packets to the portal authentication server, in seconds. The value range for the interval argument is 1 to 3600, and the default value is 600.

Usage guidelines

This feature is typically used in scenarios where a NAT device exists between a portal authentication server and a large number of access devices.

Before this feature is used, you must configure a static NAT mapping for each access device on the NAT device, causing much workload. After this feature is enabled on an access device, the access device automatically sends a register packet to the portal authentication server. When the server receives the register packet, it records register information for the access device, including the device name, and the IP address and port number after NAT. The register information is used for subsequent authentication information exchanges between the server and the access device. The access device updates its register information on the server by sending register packets at regular intervals.

Only CMCC portal authentication servers support this feature.

Examples

# Configure the device to send register packets to portal authentication server pts at the interval of 120 seconds.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-register interval 120

Related commands

server-type (portal authentication server view/portal Web server view)

server-type (MAC binding server view)

Use server-type to specify the type of a MAC binding server.

Use undo server-type to restore the default.

Syntax

server-type { cmcc | imc }

undo server-type

Default

The type of the MAC binding server is IMC.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

cmcc: Specifies the MAC binding server type as CMCC.

imc: Specifies the MAC binding server type as IMC.

Examples

# Specify the type of the MAC binding server as cmcc.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] server-type cmcc

server-type (portal authentication server view/portal Web server view)

Use server-type to specify the type of a portal authentication server or portal Web server.

Use undo server-type to restore the default.

Syntax

server-type { cmcc | imc | ise | oauth | wifidog }

undo server-type

Default

The type of the portal authentication server and portal Web server is IMC.

Views

Portal authentication server view

Portal Web server view

Predefined user roles

network-admin

Parameters

cmcc: Specifies the portal server type as CMCC.

imc: Specifies the portal server type as IMC.

ise: Specifies the portal server type as ISE. This keyword is supported only in portal Web server view.

oauth: Specifies the portal server type as cloud platform. This keyword is supported only in portal Web server view.

wifidog: Specifies the server type as WiFiDog. This keyword is supported only in portal Web server view.

Usage guidelines

Specify the portal server type on the device with the server type the device actually uses.

Examples

# Specify the type of the portal authentication server as cmcc.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] server-type cmcc

# Specify the type of the portal Web server as cmcc.

<Sysname> system-view

[Sysname] portal web-server pts

[Sysname-portal-websvr-pts] server-type cmcc

Related commands

display portal server

shop-id

Use shop-id to specify the shop ID for WeChat authentication.

Use undo shop-id to restore the default.

Syntax

shop-id shop-id

undo shop-id

Default

No shop ID is specified for WeChat authentication.

Views

WeChat authentication server view

Predefined user roles

network-admin

Parameters

shop-id: Specifies the ID of the shop where the device is deployed as a portal device for WeChat authentication.

Usage guidelines

This configuration is required for the device to provide local WeChat authentication for portal users.

To obtain the shop ID for WeChat authentication, you must perform the following tasks:

1.     Go to the WeChat Official Account Admin Platform (https://mp.weixin.qq.com) to apply a WeChat official account.

2.     Use the account to log in to the platform and enable the WeChat WiFi hotspot feature.

3.     Click the device management tab, add the device: select the shop where the device is deployed, select the portal device type, and enter the SSID of your WiFi network.

After the previous configurations, you will obtain the credentials (app ID, app key, and shop ID) for WeChat authentication.

When a WeChat user attempts to connect to the WiFi network provided in the specified shop, the device sends the credentials to the WeChat Official Account Platform for verification. After the credentials are verified, the device continues the portal authentication and allows the user to use the WiFi network after the authentication.

The shop ID specified in this command must be the same as the shop ID obtained from the WeChat Official Account Admin Platform.

Examples

# Specify 6747662 as the shop ID for WeChat authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server wechat

[Sysname-portal-extend-auth-server-wechat] shop-id 6747662

Related commands

display portal extend-auth-server

subscribe-required enable

Use subscribe-required enable to enable the subscribe-required feature for WeChat authentication.

Use undo subscribe-required enable to disable the subscribe-required feature for WeChat authentication.

Syntax

subscribe-required enable

undo subscribe-required enable

Default

The subscribe-required feature is disabled for WeChat authentication.

Views

WeChat authentication server view

Predefined user roles

network-admin

Usage guidelines

When the subscribe-required feature is enabled, portal users must follow WeChat official accounts to pass WeChat authentication.

This feature must be used with the portal temporary pass feature. As a best practice, set the temporary pass period to 600 seconds.

Examples

# Enable the subscribe-required feature for WeChat authentication.

<Sysname> system-view

[Sysname] portal extend-auth-server wechat

[Sysname-portal-extend-auth-server-wechat] subscribe-required enable

tcp-port

Use tcp-port to configure a listening TCP port for a local portal Web service.

Use undo tcp-port to restore the default.

Syntax

tcp-port port-number

undo tcp-port

Default

The listening TCP port number for HTTP is 80 and that for HTTPS is the TCP port number set by using the portal local-web-server command.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

port-number: Specifies the listening TCP port number in the range of 1 to 65535.

Usage guidelines

To use the local portal Web service, make sure the port number in the portal Web server URL and the port number configured in this command are the same.

For successful local portal authentication, follow these guidelines:

·     Do not configure the listening TCP port number for a local portal Web service as the port number used by a known protocol. For example, do not specify port numbers 21 and 23, which are used by FTP and Telnet, respectively.

·     Do not configure the HTTP listening port number as the default HTTPS listening port number 443.

·     Do not configure the HTTPS listening port number as the default HTTP listening port number 80.

·     Do not configure the same listening port number for HTTP and HTTPS.

·     For the HTTPS-based local portal Web service and other services that use HTTPS:

¡     If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.

¡     If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.

Examples

# Set the listening port number to 2331 for the HTTP-based local portal Web service.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] tcp-port 2331

Related commands

portal local-web-server

url

Use url to specify a URL for a portal Web server.

Use undo url to restore the default.

Syntax

url url-string

undo url

Default

No URL is specified for a portal Web server.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

url-string: Specifies a URL for the portal Web server, a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command specifies a URL that can be accessed through standard HTTP or HTTPS. The URL should start with http:// or https://. If the URL you specify does not start with http:// or https://, the system considers the URL begins with http:// by default.

Examples

# Configure the URL for the portal Web server wbs as http://www.test.com/portal.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] url http://www.test.com/portal

Related commands

display portal web-server

url-parameter

Use url-parameter to configure the parameters carried in the URL of a portal Web server. The access device redirects a portal user by sending the URL with the parameters to the user.

Use undo url-parameter to delete the parameters carried in the URL of the portal Web server.

Syntax

url-parameter param-name { nas-id | nas-port-id | original-url | source-address | ssid | { ap-mac | source-mac } [ format section { 1 | 3 | 6 } { lowercase | uppercase } ] [ encryption { aes | des } key { cipher | simple } string ] | value expression | vlan }

undo url-parameter param-name

Default

No URL parameters are configured for a portal Web server.

Views

Portal Web server view

Predefined user roles

network-admin

Parameters

param-name: Specifies a URL parameter name, a case-sensitive string of 1 to 32 characters. Content of the parameter is determined by the following keyword you specify.

nas-id: Specifies the NAS-ID.

nas-port-id: Specifies the NAS-Port-ID.

original-url: Specifies the URL of the original webpage that a portal user visits.

source-address: Specifies the user IP address.

ssid: Specifies the SSID of the AP.

ap-mac: Specifies the MAC address of the AP.

source-mac: Specifies the user MAC address.

format: Specifies the format of the MAC address.

section: Specifies the number of sections that a MAC address contains.

1: Specifies the one-section format XXXXXXXXXXXX.

3: Specifies the three-section format XXXX-XXXX-XXXX.

6: Specifies the six-section format XX-XX-XX-XX-XX-XX.

lowercase: Specifies the letters in a MAC address to be in lower case.

uppercase: Specifies the letters in a MAC address to be in upper case.

encryption: Specifies the encryption algorithm to encrypt the MAC address of the AP or user.

aes: Specifies the AES algorithm.

des: Specifies the DES algorithm.

key: Specifies a key for encryption.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:

·     If des cipher is specified, the string length is 41 characters.

·     If des simple is specified, the string length is 8 characters.

·     If aes cipher is specified, the string length is 1 to 73 characters.

·     If aes simple is specified, the string length is 1 to 31 characters.

value expression: Specifies a custom case-sensitive string of 1 to 256 characters.

vlan: Specifies the user VLAN ID.

Usage guidelines

You can configure multiple URL parameters.

To avoid redirection failure, add only necessary URL parameters to the portal Web server URL. Ensure that the total length of the portal Web server URL is no longer than 2048 bytes.

If you execute this command multiple times to configure the same URL parameter, the most recent configuration takes effect.

After you configure the URL parameters, the access device sends the portal Web server URL with these parameters to portal users. For example, assume that the URL of a portal Web server is http://www.test.com/portal, and you execute the url-parameter userip source-address and url-parameter userurl value http://www.abc.com/welcome commands. Then, the access device sends to the user whose IP address is 1.1.1.1 the URL http://www.test.com/portal?userip=1.1.1.1&userurl=http://www.abc.com/welcome.

When you configure the param-name argument in this command, you must use the URL parameter name supported by the actual portal server. Different portal server types support different URL parameter names.

For example, the IMC server supports parameter names userurl, userip, and usermac for the keywords original-url, source-address, and source-mac, respectively. To carry the user IP information in the portal Web server URL, you must configure the parameter name as userip and specify the source-address keyword.

If you specify the encryption algorithm for a parameter, the redirection URL carries the encrypted value for the parameter. Execute the url-parameter usermac source-mac encryption des key simple 12345678 command. Then, the access device sends to the user with MAC address 1111-1111-1111 the URL http://www.test.com/portal?usermac=xxxxxxxxx&userip=1.1.1.1&userurl= http://www.test.com/welcome, where xxxxxxxxx represents the encrypted user MAC address.

Examples

# Configure URL parameters userip and userurl for portal Web server wbs. Configure the value of the userip parameter as source-address (the IP addresses of users) and that of the userurl parameter as http://www.abc.com/welcome.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] url-parameter userip source-address

[Sysname-portal-websvr-wbs] url-parameter userurl value http://www.abc.com/welcome

# Configure URL parameter usermac for portal Web server wbs. Configure the value of the usermac parameter as source-mac (the MAC addresses of users) and specify DES to encrypt the MAC addresses.

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] url-parameter usermac source-mac encryption des key simple 12345678

# Configure URL parameter uservlan for portal Web server wbs. Configure the value of the uservlan parameter as vlan (the VLAN IDs of users.)

<Sysname> system-view

[Sysname] portal web-server wbs

[Sysname-portal-websvr-wbs] url-parameter uservlan vlan

Related commands

display portal web-server

url

user-agent

Use user-agent to configure the User-Agent match string.

Use undo user-agent to restore the default.

Syntax

user-agent user-agent-string

undo user-agent

Default

The User-Agent match string is MicroMessenger.

Views

Local portal Web service view

Predefined user roles

network-admin

Parameters

user-agent-string: Specifies the User-Agent match string, a case-sensitive string of 1 to 255 characters.

Examples

# Configure the User-Agent match string as text.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] user-agent text

user-password modify enable

Use user-password modify enable to enable local portal user password modification.

Use undo user-password modify enable to disable local portal user password modification.

Syntax

user-password modify enable

undo user-password modify enable

Default

Local portal user password modification is disabled.

Views

Local portal Web service view

Predefined user roles

network-admin

Usage guidelines

This feature enables the local portal Web service to display the password modification button on the portal authentication page. Local portal users can change their passwords through this button.

Examples

# In local portal Web service view, enable local portal user password modification.

<Sysname> system-view

[Sysname] portal local-web-server http

[Sysname-portal-local-websvr-http] user-password modify enable

Related commands

portal local-web-server

user-sync

Use user-sync to enable portal user synchronization for a portal authentication server.

Use undo user-sync to disable portal user synchronization for a portal authentication server.

Syntax

user-sync timeout timeout

undo user-sync

Default

Portal user synchronization is disabled for a portal authentication server.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

timeout timeout: Specifies a detection timeout for synchronization packets, in the range of 60 to 18000 seconds.

Usage guidelines

This feature enables the device to reply to and periodically detect the synchronization packets from the portal authentication server. In this way, information about online portal users on the device and on the portal authentication server remains consistent.

·     For information of the users considered as nonexistent on the portal authentication server, the device deletes the information after the configured detection timeout expires.

·     If the user information from the portal authentication server does not exist on the device, the device encapsulates IP addresses of the users in user heartbeat reply packets to the server. The portal authentication server then deletes the users.

Portal user synchronization requires that the portal authentication server support the portal user heartbeat feature. Now, only the IMC portal authentication server supports portal user heartbeat. To implement portal user synchronization, you need to configure the user heartbeat feature on the portal authentication server. Make sure the user heartbeat interval configured on the portal authentication server is not greater than the synchronization detection timeout configured on the access device.

Deleting a portal authentication server on the device also deletes the user synchronization configuration for the server.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable portal user synchronization for the portal authentication server pts and set the detection timeout to 600 seconds. If a use has not appeared in the synchronization packets sent by the portal authentication server for 600 seconds, the access device logs out the user.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] user-sync timeout 600

Related commands

portal server

version

Use version to specify the version of the portal protocol.

Use undo version to restore the default.

Syntax

version version-number

undo version

Default

The version of the portal protocol is 1.

Views

MAC binding server view

Predefined user roles

network-admin

Parameters

version-number: Specifies the portal protocol version in the range of 1 to 3.

Usage guidelines

The specified portal protocol version must be that required by the MAC binding server.

Examples

# Configure the device to use portal protocol version 2 to communicate with the MAC binding server mts.

<Sysname> system-view

[Sysname] portal mac-trigger-server mts

[Sysname-portal-mac-trigger-server-mts] version 2

Related commands

display portal mac-trigger-server

portal mac-trigger-server

web-redirect url

Use web-redirect url to enable the Web redirect feature.

Use undo web-redirect url to disable the Web redirect feature.

Syntax

web-redirect [ ipv6 ] url url-string [ interval interval ]

undo web-redirect [ ipv6 ]

Default

The Web redirect feature is disabled.

Views

Interface view

Service template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the IPv6 Web redirect feature. Do not specify this keyword for the IPv4 Web redirect feature.

url url-string: Specifies the URL to which the user is redirected, a string of 1 to 256 characters. The URL must exist and must be a complete URL beginning with http:// or https://.

interval interval: Specifies the time interval at which the user is redirected to the specified URL. It is in the range of 60 to 86400 seconds. The default interval is 86400 seconds.

Usage guidelines

This feature redirects a user on an interface or a service template to the specified URL before the user can access an external network through a Web browser. After the specified interval, the user is redirected to the specified URL again.

The Web redirect feature takes effect only on HTTP packets that use the default port number 80.

On a service template, you cannot enable both Web redirect and portal authentication.

To use the device URL as the Web redirect URL or allow users to successfully access the device URL, you must enable the HTTP service. To enable the HTTP service, use the ip http enable command.

To push different advertisement pages to different users, you can carry parameters in the redirect URL (by using the url url-string option) as needed. The following parameters are available:

·     userip=%c—IP address of the user.

·     usermac=%m—MAC address of the user.

·     nasid=%n—NAS identifier of the device.

·     ssid=%E—SSID with which the user associates.

·     originalurl=%o—Original URL that the user enters in the browser.

Make sure the arrangement of the parameters conforms to the format of http://XXXX/index.html?userip=%c&usermac=%m&nasid=%n&ssid=%E&originalurl=%o.

Examples

# Configure IPv4 Web redirect on service template service1. Set the redirect URL to http://192.0.0.1 /index.html?userip=%c&usermac=%m&nasid=%n&ssid=%E&originalurl=%o and the interval to 3600 seconds.

<Sysname> system-view

[Sysname] wlan service-template service1

[Sysname-wlan-st-service1] web-redirect url http://192.0.0.1 /index.html?userip=%c&usermac=%m&nasid=%n&ssid=%E&originalurl=%o interval 3600

Related commands

display web-redirect rule

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网