< Home

portal free-rule

Function

The portal free-rule command configures the Portal authentication-free rule for users.

The undo portal free-rule command restores the default configuration.

By default, no Portal authentication-free rule is configured.

Format

portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } [ tcp destination-port port | udp destination-port port ] | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id } * } } *

portal free-rule rule-id source ip ip-address mask { mask-length | ip-mask } [ mac mac-address ] [ interface interface-type interface-number ] destination user-group group-name

undo portal free-rule { rule-id | all }

Parameters

Parameter Description Value
rule-id

Specifies the ID of the Portal authentication-free rule.

The value is an integer of which the range depends on product models.
destination

Specifies the destination network resources that the authentication-free users can access.

 -
source

Specifies the source information of the authentication-free users.

 -
any

Specifies any condition. When any is used together with different keywords, the effect of the command is different.

 -
ip ip-address

Specifies the IP address in the rule. This parameter can specify the source or destination address depending on the keyword.

 The value is in dotted decimal notation.
mask mask-length

Specifies the mask length of an IP address. This parameter can specify the source or destination address mask depending on the keyword.

 The value is an integer that ranges from 1 to 32.
mask ip-mask

Specifies the IP address mask. This parameter can specify the source or destination address mask depending on the keyword.

 The value is in dotted decimal notation.
tcp destination-port port

Specifies the TCP destination port number.

The value is an integer that ranges from 1 to 65535.
udp destination-port port

Specifies the UDP destination port number.

The value is an integer that ranges from 1 to 65535.
interface interface-type interface-number

Specifies the type and number of the source interface in the rule.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-
vlan vlan-id

Specifies the VLAN ID of the source packet in the rule.

 The value is an integer that ranges from 1 to 4094.
all

Specifies all rules.

 -
mac mac-address

Specifies the MAC address of the Portal authentication user who is allowed to access destination network resources without authentication.

The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits.
user-group group-name

Allows Portal authentication users to access the network resources in the user group.

It is a string of 1 to 64 case-sensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A user cannot access the network before being authenticated successfully. You can configure an authentication-free rule for specified users to access certain network resources without passing the Portal authentication. An authentication-free rule can be determined by parameters such as the IP address, MAC address, interface, and VLAN. An authentication-free rule can also be determined by ACL rules. The destination IP address that users can access without authentication can be specified in an authentication-free rule defined by either of the two methods. In addition, the destination domain name that users can access without authentication can be specified in an authentication-free rule defined by ACL.

For example, some authentication users who do not have an authentication account must first log in to the official website of a carrier and apply for a member account, or log in using the account of a third party such as Twitter or Facebook. This requires that the users can access specified websites before successful authentication. The domain name of a website is easier to remember than the IP address; therefore, the authentication-free rule defined by ACL can be configured to enable the users to access the domain names of websites without authentication.

Precautions

  • When multiple authentication-free rules are configured, the system matches the rules one by one.
  • If the vlan parameter determines where users reside for an authentication-free rule, the Portal server must have been bound to the VLANIF interface of the VLAN using the web-auth-server (interface view) command; otherwise, the configured authentication-free rule does not take effect for users in the VLAN.
  • If you specify both VLAN and interface when running the portal free-rule command, the interface must belong to the VLAN; otherwise, the configuration is invalid.
  • If you specify the destination port number in an authentication-free rule, fragmented packets cannot match the rule and cannot be forwarded.
  • You can only add or delete rules, but cannot modify the created rules. To modify a rule with a certain rule-id, run the undo portal free-rule command to delete the rule and re-configure it.
  • To allow Portal authentication users to access the network resources in the user group, pay attention to the following points:
    • The user group has been created before it is referenced by the Portal authentication-free rule.
    • The Portal authentication-free rule takes effect only after the referenced user group is enabled.
    • A user can only join one user group. If multiple rules are configured, the rule with the smallest rule-id has the highest priority.
    • If multiple rules are applied to a user, the Portal authentication-free rule referencing the user group has the highest priority.
    • The rule of the user group can only contain whitelists. That is, the deny action cannot be used.
    • After configuring authorization for a user using the destination user-group group-name command, you cannot configure authorization in other modes for the user.

  • If a user fails built-in Portal authentication on a Layer 2 interface of the device (excluding the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-HI, and S5720-HI), the user cannot obtain network access rights defined by the Portal authentication-free rule.

Example

# Enable all Portal users to access the network 10.1.1.1/24 without authentication.

<HUAWEI> system-view
[HUAWEI] portal free-rule 1 destination ip 10.1.1.1 mask 24 source ip any
# Add the devices on network segment 10.2.100.0/24 to the user group static-user and allow the devices to access all network resources without authentication.
<HUAWEI> system-view
[HUAWEI] acl number 3100
[HUAWEI-acl-adv-3100] rule 5 permit ip source 10.2.100.0 255.255.255.0 
[HUAWEI-acl-adv-3100] quit
[HUAWEI] user-group static-user
[HUAWEI-user-group-static-user] acl-id 3100
[HUAWEI-user-group-static-user] quit
[HUAWEI] user-group static-user enable
[HUAWEI] portal free-rule 0 source ip 10.2.100.0 mask 24 destination user-group static-user
Parent Topic: NAC Configuration Commands (Common Mode)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >