Configuring an External Portal Server

Context

If an External Portal server is used for authentication, you need to configure related parameters in the Portal server template, for example, the authentication protocol, to ensure that the device and Portal server can communicate.

Procedure

Run system-view
The system view is displayed.
Run portal web-authen-server { http | https ssl-policy policy-name } [ port port-number ]
The Portal interconnection function of the HTTP or HTTPS protocol is enabled.

By default, the Portal interconnection function of the HTTP or HTTPS protocol is disabled.
Run web-auth-server server-name
A Portal server template is created and the Portal server template view is displayed.

By default, no Portal server template is created.
Run protocol http [ password-encrypt { none | uam } ]
The protocol used in Portal authentication is set to HTTP or HTTPS.

By default, the Portal protocol is used in Portal authentication.

The default password encryption mode is none. Set the password encryption mode on the device to be the same as that on the Portal server.
(Optional) Run http get-method enable
The device is configured to allow users to submit user name and password information using the GET method during Portal authentication.

By default, the device does not allow users to submit user name and password information using the GET method during Portal authentication.

By default, the device allows users to submit user name and password information using the POST method during Portal authentication. Perform this step if the Portal server uses the GET method.
Run http-method post { cmd-key cmd-key [ login login-key | logout logout-key ] ^* | init-url-key init-url-key | login-fail response { err-msg { authenserve-reply-message | msg msg } | redirect-login-url | redirect-url redirect-url [ append-reply-message msgkey ] } | login-success response { msg msg | redirect-init-url | redirect-url redirect-url } | logout-fail response { msg msg | redirect-url redirect-url } | logout-success response { msg msg | redirect-url redirect-url } | password-key password-key | user-mac-key user-mac-key | userip-key userip-key | username-key username-key } ^*
Parameters for parsing and replying to POST or GET request packets of the HTTP or HTTPS protocol are configured.

By default, the system has configured parameters for parsing and replying to POST or GET request packets of the HTTP or HTTPS protocol. For details, see the "Parameters" table in the http-method post command.

Configure command identification keywords on the device according to the configuration on the Portal server.
Configure a URL for the Portal server.
You can bind a URL or a URL template to a Portal server template. Compared with URL binding, URL template binding allows you to configure the redirect URL of the Portal server and configure the URL to carry parameters related to users or the access device. The Portal server then can obtain user terminal information based on parameters carried in the URL and provide different Portal authentication pages for different users. You can choose URL binding mode or URL template binding mode based on actual requirements.
- URL binding mode
  
  Run url url-string
  
  A URL is configured for the Portal server.
  
  By default, no URL is configured for the Portal server.
- URL template binding mode
  1. Create and configure a URL template.
    1. Run quit
      
      Return to the system view.
    2. Run url-template name template-name
      A URL template is created and the URL template view is displayed.
      
      By default, no URL template is created on the device.
    3. Run url [ redirect-only ] url-string [ ssid ssid ]
      A redirect URL is configured for the Portal server.
      
      By default, no redirect URL is configured for the Portal server.
    4. Run url-parameter { device-ip device-ip-value | device-mac device-mac-value | ap-ip ap-ip-value | ap-mac ap-mac-value | login-url url-key url | redirect-url redirect-url-value | ssid ssid-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-mac user-mac-value | user-vlan user-vlan-value | ap-group-name ap-group-name-value | ap-location ap-location-value | ap-name ap-name-value } ^*
      Parameters carried in the URL are configured.
      
      By default, a URL does not carry any parameters.
    5. Run url-parameter mac-address format delimiter delimiter { normal | compact }
      The MAC address format in the URL is configured.
      
      By default, the MAC address format in a URL is XXXXXXXXXXXX.
    6. Run parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } ^*
      Characters in the URL are configured.
      
      By default, the start character in a URL is a question mark (?), the assignment character is an equal sign (=), and the delimiter between parameters is an ampersand (&).
    7. (Optional) Run url-parameter set device-ip device-ip
      Redirection parameters are set.
      
      By default, the device automatically obtains redirection parameter values.
    8. Run quit
      
      Return to the system view.
  2. Run web-auth-server server-name
    
    The Portal server template view is displayed.
  3. Run url-template url-template
    The URL template is bound to the Portal server template.
    
    By default, no URL template is bound to a Portal server template.
  4. Run quit
    
    Return to the system view.
(Optional) Run portal redirect js enable
The function of inserting a JavaScript file during Portal redirection is enabled.

By default, the function of inserting a JavaScript file during Portal redirection is disabled.
(Optional) Run portal redirect-302 enable
Redirection based on the status code 302 is enabled for Portal authentication.

By default, redirection based on the status code 302 is disabled for Portal authentication.
(Optional) Run portal https-redirect blacklist { ip start-ip-address [ end-ip-address ] | ipv6 start-ipv6-address [ to end-ipv6-address ] }
An address or an address range is added to the HTTPS redirection blacklist. After an address is added to the HTTPS redirection blacklist, HTTPS redirection is not performed for HTTPS access to this address.

By default, no address is added to the HTTPS redirection blacklist.
(Optional) Run portal https-redirect whitelist { ip start-ip-address [ end-ip-address ] | ipv6 start-ipv6-address [ to end-ipv6-address ] }
An address or an address range is added to the HTTPS redirection whitelist.

By default, no address is added to the HTTPS redirection whitelist.
(Optional) Run portal https-redirect blacklist aging-time aging-time
The aging time of addresses in the HTTPS redirection blacklist is configured.

By default, the aging time of addresses in the HTTPS redirection blacklist is 259200 seconds, that is, 72 hours.
(Optional) Run portal https-redirect blacklist packet-rate packet-rate
The maximum rate at which a Portal user accesses an address through HTTPS. If the user access rate reaches the maximum, the switch adds the destination address to the HTTPS redirection blacklist.

By default, the maximum rate at which a Portal user accesses an address through HTTPS is 40 times per minute.
(Optional) Run portal https-redirect blacklist retry-times retry-times interval interval
The maximum number of times and the detection period are configured. Within the detection period, if the number of times an address is added to the provisional HTTPS redirection blacklist reaches the maximum, the address is added to the HTTPS redirection blacklist.

By default, the maximum number of times is 10, the detection period is 3 minutes.