web-auth-server (Portal access profile view)

Function

The web-auth-server command configures the Portal server template used by a Portal access profile.

The undo web-auth-server command restores the default setting.

By default, a Portal access profile does not use any Portal server template.

Format

web-auth-server server-name [ bak-server-name ] { direct | layer3 }

undo web-auth-server

Parameters

Parameter	Description	Value
server-name	Specifies the name of a Portal server template.	The value must be an existing Portal server template name.
bak-server-name	Specifies the name of a backup Portal server template. NOTE: The name of the backup Portal server template cannot be configured to the command-line keywords direct and layer3.	The value must be an existing Portal server template name.
direct	Sets the Portal authentication mode to Layer 2 authentication.	-
layer3	Sets the Portal authentication mode to Layer 3 authentication.	-

Views

Portal access profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a Portal server template is configured on the device, this profile must be bound to a Portal access profile. When users who use the Portal access profile attempt to access charged network resources, the HTTP requests are forcibly redirected to the authentication page of the Portal server to implement Portal authentication.

To improve Portal authentication reliability, the backup Portal server template can also be bound to the Portal access profile. When the primary Portal server is disconnected, the users are redirected to the backup Portal server for authentication. This function can take effect only when the Portal server detection function is enabled using the server-detect command and heartbeat detection is enabled on the Portal server.

The following Portal authentication modes are available:

direct: When there is no Layer 3 forwarding device between the device and a user, the device can learn the user's MAC address. You can configure the Layer 2 authentication mode so that the device can identify the user using the MAC address.
layer3: When there is a Layer 3 forwarding device between the device and a user, the device cannot learn the user's MAC address and can only identify the user using the IP address. You need to configure the Layer 3 authentication mode.

Prerequisites

A Portal server template has been created using web-auth-server and the IP address of the Portal server has been configured using server-ip.

Precautions

After a Portal access profile is bound to an authentication profile, the Portal server template used in the Portal access profile cannot be deleted, but can be modified.
The support for Portal authentication varies depending on different interfaces, routed main interfaces (Only S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, S6720-EI, and S6720S-EI) support only Layer 3 Portal authentication, Layer 2 interfaces support only Layer 2 Portal authentication, and VLANIF interfaces support both Layer 2 and Layer 3 Portal authentication.
This command does not take effect on the VLANIF interface corresponding to the super VLAN.
When the direct forwarding mode is used for wireless users and Portal authentication is enabled on the VLANIF interface, the branched networking must be used for the device to make Portal authentication take effect.

Example

# Bind the Portal access profile p1 to the Portal server templates server1 and server2 (backup Portal server template), and configure the Layer 2 authentication mode.

<HUAWEI> system-view
[HUAWEI] web-auth-server server1
[HUAWEI-web-auth-server-server1] server-ip 10.10.1.1
[HUAWEI-web-auth-server-server1] quit
[HUAWEI] web-auth-server server2
[HUAWEI-web-auth-server-server2] server-ip 10.10.2.1
[HUAWEI-web-auth-server-server2] quit
[HUAWEI] portal-access-profile name p1
[HUAWEI-portal-access-profile-p1] web-auth-server server1 server2 direct