Configuring an External Portal Server for a Portal Access Profile

Context

To use Portal authentication, you must configure Portal server parameters on the device. The device supports external and built-in Portal servers. To use an external Portal server for authentication, you need to configure an external Portal server, and configure a Portal access profile to use the external Portal server. When users who use the Portal access profile attempt to access charged network resources, they are forcibly redirected to the authentication page of the Portal server for Portal authentication.

A Portal server template defines parameters of the Portal server. You need to configure an external Portal server for the Portal access profile, that is, bind a Portal server template to the Portal access profile.

To improve Portal authentication reliability, the backup Portal server template can also be bound to the Portal access profile. When the primary Portal server is disconnected, the users are redirected to the backup Portal server for authentication. This function can take effect only when the Portal server detection function is enabled using the server-detect command and heartbeat detection is enabled on the Portal server.

Procedure

Run system-view
The system view is displayed.
Run portal-access-profile name access-profile-name
A Portal access profile is created and the Portal access profile view is displayed.
Run web-auth-server server-name [ bak-server-name ] { direct | layer3 }
A Portal server template is bound to the Portal access profile.

By default, no Portal server template is bound to a Portal access profile.
The following Portal authentication modes are available:
- direct: When there is no Layer 3 forwarding device between the device and a user, the device can learn the user's MAC address. You can configure the Layer 2 authentication mode so that the device can identify the user using the MAC address.
- layer3: When there is a Layer 3 forwarding device between the device and a user, the device cannot learn the user's MAC address and can only identify the user using the IP address. You need to configure the Layer 3 authentication mode.
Run portal auth-network network-address { mask-length | mask-address }
The source subnet is set for Portal authentication.

By default, the source authentication subnet is 0.0.0.0/0, indicating that users in all subnets must pass Portal authentication.

The command takes effect only for Layer 3 Portal authentication. In Layer 2 Portal authentication, users on all subnets must be authenticated.