(Optional) Setting Access Control Parameters for Portal Authentication Users

Context

During deployment of the Portal authentication network, you can set access control parameters for Portal authentication users to flexibly control the user access. For example, you can set authentication-free rules for Portal authentication users so that the users can access specified network resources without being authenticated or when the users fail authentication. You can configure the source authentication subnet to allow the device to authenticate only users in the source authentication subnet, while users in other subnets cannot pass Portal authentication.

Procedure

Set access control parameters for Portal authentication users when an external Portal server is used.
1. Run system-view
  The system view is displayed.
2. Set the Portal authentication-free rule using the following command syntax:
  - Run portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } [ tcp destination-port port | udp destination-port port ] | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id }^* } }^*
    The Portal authentication-free rule is set.
  - Run portal free-rule rule-id source ip ip-address mask { mask-length | ip-mask } [ mac mac-address ] [ interface interface-type interface-number ] destination user-group group-name
    The Portal authentication-free rule is set.
  By default, no Portal authentication-free rule is set.
3. Set the maximum number of Portal authentication users.
  1. Run portal max-user user-number
    
    The maximum number of Portal authentication users is set.
    
    By default, the number of Portal authentication users is the maximum number of Portal authentication users supported by the device.
  2. Run portal user-alarm percentage percent-lower-value percent-upper-value
    
    The alarm threshold for the Portal authentication user count percentage is set.
    
    By default, the lower alarm threshold for the Portal authentication user count percentage is 50, and the upper alarm threshold for the Portal authentication user count percentage is 100.
4. Run interface interface-type interface-number
  The interface view is displayed.
5. (Optional) On an Ethernet interface, run undo portswitch
  The interface is switched to Layer 3 mode.
  
  By default, an Ethernet interface works in Layer 2 mode.
  
  Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3 modes.
6. Run portal auth-network network-address { mask-length | mask-address }
  The source subnet is set for Portal authentication.
  
  By default, the source authentication subnet is 0.0.0.0/0, indicating that users in all subnets must pass Portal authentication.
  
  The command takes effect for only Layer 3 Portal authentication. In Layer 2 Portal authentication, users on all subnets must be authenticated.
7. Run portal domain domain-name
  A forcible Portal authentication domain name is set.
  
  By default, no forcible Portal authentication domain name is set.
Set access control parameters for Portal authentication users when a built-in Portal server is used.
1. Run system-view
  The system view is displayed.
2. Run portal local-server authentication-method { chap | pap }
  The authentication mode of the built-in Portal server is set.
  
  By default, the built-in Portal server uses CHAP to authenticate Portal users.
3. Set the Portal authentication-free rule using the following command syntax:
  - Run portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } [ tcp destination-port port | udp destination-port port ] | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id }^* } }^*
    The Portal authentication-free rule is set.
  - Run portal free-rule rule-id source ip ip-address mask { mask-length | ip-mask } [ mac mac-address ] [ interface interface-type interface-number ] destination user-group group-name
    The Portal authentication-free rule is set.
    
    If a user fails built-in Portal authentication on a Layer 2 interface of the device (excluding the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI), the user cannot obtain network access rights defined by the Portal authentication-free rule.
  By default, no Portal authentication-free rule is set.