< Home

Configuring an External Portal Server

Context

To ensure proper communication between the device and an external Portal server for authentication, configure the following information:
  • Portal server template: manages parameters of the Portal server, such as the IP address.
  • Parameters for information exchange with the Portal server: When the device connects to the Portal server, you need to configure information such as the Portal protocol version, to ensure proper communication and security.

Procedure

  • Configure a Portal server template.

    1. Run system-view

      The system view is displayed.

    2. Run web-auth-server server-name

      A Portal server template is created and the Portal server template view is displayed.

      By default, no Portal server template is created.

    3. Run protocol portal

      The protocol used in Portal authentication is set to Portal.

      By default, the Portal protocol is used in Portal authentication.

    4. Run server-ip { server-ip-address &<1-10> | ipv6 server-ipv6-address &<1-3> }

      The IP address of a Portal server is configured.

      By default, no IP address of a Portal server is configured.

    5. (Optional) Configure a source IP address for the device to communicate with the Portal server.

      • Run source-ip ip-address

        A source IP address is configured for the device to communicate with the Portal server.

      • Run source-interface interface-type interface-number

        An IP address of the specified interface is configured for the device to communicate with the Portal server.

        By default, no source IP address is configured for the device.

    6. (Optional) Run port port-number [ all ]

      A destination port number is configured for the device to send packets to the Portal server.

      By default, the device uses the destination port number 50100 to send packets to the Portal server.

    7. Run shared-key cipher key-string

      A shared key is configured for the device to exchange information with the Portal server.

      By default, no shared key is configured.

    8. Run vpn-instance vpn-instance-name

      A VPN instance is configured for the device to communicate with the Portal server.

      By default, no VPN instance is configured for the device to communicate with the Portal server.

    9. (Optional) Run web-redirection disable

      The Portal authentication redirection function is disabled.

      By default, the Portal authentication redirection function is enabled.

      The device redirects all unauthenticated users to the Portal authentication page when the users send access requests to external networks. However, in some special scenarios (for example, users need to manually enter the URL of the authentication page), you can run the web-redirection disable command to disable the Portal authentication redirection function.

    10. Configure the URL of the Portal server.

      You can bind a URL or a URL template to a Portal server template. Compared with URL binding, URL template binding allows you to configure the redirect URL of the Portal server and configure the URL to carry parameters related to users or the access device. The Portal server then can obtain user terminal information based on parameters carried in the URL and provide different Portal authentication pages for different users. You can choose URL binding mode or URL template binding mode based on actual requirements.

      • URL binding mode

        Run url url-string

        A URL is configured for the Portal server.

        By default, no URL is configured for the Portal server.

      • URL template binding mode

        1. Create and configure a URL template.

          1. Run quit

            Return to the system view.

          2. Run url-template name template-name

            A URL template is created and the URL template view is displayed.

            By default, no URL template is created on the device.

          3. Run url [ redirect-only ] url-string [ ssid ssid ]

            A redirect URL is configured for the Portal server.

            By default, no redirect URL is configured for the Portal server.

          4. Run url-parameter { device-ip device-ip-value | device-mac device-mac-value | ap-ip ap-ip-value | ap-mac ap-mac-value | login-url url-key url | redirect-url redirect-url-value | ssid ssid-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-mac user-mac-value | user-vlan user-vlan-value | ap-group-name ap-group-name-value | ap-location ap-location-value | ap-name ap-name-value } *

            Parameters carried in the URL are configured.

            By default, a URL does not carry parameters.

          5. Run url-parameter mac-address format delimiter delimiter { normal | compact }

            The MAC address format in the URL is configured.

            By default, the MAC address format in a URL is XXXXXXXXXXXX.

          6. Run parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } *

            Characters in the URL are configured.

            By default, the start character in a URL is a question mark (?), the assignment character is an equal sign (=), and the delimiter between parameters is an ampersand (&).

          7. (Optional) Run url-parameter set device-ip device-ip

            Redirection parameter values are set.

            By default, the device automatically obtains redirection parameter values.

          8. Run quit

            Return to the system view.

        2. Run web-auth-server server-name

          The Portal server template view is displayed.

        3. Run url-template url-template [ ciphered-parameter-name ciphered-parameter-name iv-parameter-name iv-parameter-name key cipher key-string ]

          The URL template is bound to the Portal server template.

          By default, no URL template is bound to a Portal server template.

          The device support encryption of parameter information in the URL template only when it connects to the Huawei Agile Controller-Campus or iMaster NCE-Campus.

  • Configure parameters for information exchange with the Portal server.

    • Run system-view

      The system view is displayed.

    • Run web-auth-server version v2 [ v1 ]

      Portal protocol versions supported by the device are configured.

      By default, the device supports Portal protocol v1 and v2.

      The default setting is recommended to ensure proper communication; that is, the device supports both versions.

    • Run web-auth-server listening-port port-number

      The number of the port through which the device listens to Portal packets is configured.

      By default, the device listens to Portal packets through port 2000.

    • Run web-auth-server reply-message

      The device is enabled to transparently transmit user authentication information received from the authentication server to the Portal server.

      By default, the device transparently transmits users' authentication responses sent by the authentication server to the Portal server.

    • Run portal redirect-http-port port-number &<1-10>

      A user-defined destination port number of HTTP packets that trigger Portal redirection is configured.

      By default, the device redirects users to the Portal authentication page only when their browsers send HTTP packets with the destination port number 80.

    • Run authentication https-redirect enable

      HTTPS redirection for Portal or 802.1X authentication is enabled.

      By default, HTTPS redirection for wireless Portal or 802.1X authentication is enabled, and HTTPS redirection for wired Portal or 802.1X authentication is disabled.

      • When Portal authentication is triggered while a user accesses an HTTPS website, the browser displays a security prompt, requiring the user to click Continue to complete Portal authentication.
      • Redirection is not supported if the browser or website runs HTTP Strict Transport Security (HSTS).
      • If the destination port number of the HTTPS request packet sent by the user is not a well-known port number (443), redirection cannot be performed.
      • To enable HTTPS redirection for wired Portal authentication, run the authentication https-redirect enable command and then the portal https-redirect wired enable command.

      • This function takes effect only for new Portal or 802.1X authentication users.
      • This function takes effect only after a Portal server template is created or the IP address of the built-in Portal server is configured.
    • (Optional) Run portal redirect js enable

      The function of inserting a JavaScript file during Portal redirection is enabled.

      By default, the function of inserting a JavaScript file during Portal redirection is disabled.

    • (Optional) Run portal redirect-302 enable

      Redirection based on the status code 302 is enabled for Portal authentication.

      By default, redirection based on the status code 302 is disabled for Portal authentication.

    • (Optional) Run portal https-redirect blacklist { ip start-ip-address [ end-ip-address ] | ipv6 start-ipv6-address [ to end-ipv6-address ] }

      An address or an address range is added to the HTTPS redirection blacklist. After an address is added to the HTTPS redirection blacklist, HTTPS redirection is not performed for HTTPS access to this address.

      By default, no address is added to the HTTPS redirection blacklist.

    • (Optional) Run portal https-redirect whitelist { ip start-ip-address [ end-ip-address ] | ipv6 start-ipv6-address [ to end-ipv6-address ] }

      An address or an address range is added to the HTTPS redirection whitelist.

      By default, no address is added to the HTTPS redirection whitelist.

    • (Optional) Run portal https-redirect blacklist aging-time aging-time

      The aging time of addresses in the HTTPS redirection blacklist is configured.

      By default, the aging time of addresses in the HTTPS redirection blacklist is 259200 seconds, that is, 72 hours.

    • (Optional) Run portal https-redirect blacklist packet-rate packet-rate

      The maximum rate at which a Portal user accesses an address through HTTPS. If the user access rate reaches the maximum, the switch adds the destination address to the HTTPS redirection blacklist.

      By default, the maximum rate at which a Portal user accesses an address through HTTPS is 40 times per minute.

    • (Optional) Run portal https-redirect blacklist retry-times retry-times interval interval

      The maximum number of times and the detection period are configured. Within the detection period, if the number of times an address is added to the provisional HTTPS redirection blacklist reaches the maximum, the address is added to the HTTPS redirection blacklist.

      By default, the maximum number of times is 10, the detection period is 3 minutes.

    • Run portal logout resend times timeout period

      The number of times that the device retransmits offline packets of Portal authentication users and the retransmission interval are configured.

      By default, the device retransmits offline packets of Portal authentication users for three times at an interval of five seconds.

    • Run portal logout different-server enable

      The device is enabled to process user logout requests sent by a Portal server other than the one from which users log in.

      By default, a device does not process user logout requests sent by Portal servers other than the one from which users log in.

Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >