web-server redirect-key
Function
The web-server redirect-key command configures the keyword of the customized Portal attribute.
The undo web-server command restores the mandatory web server in a domain to the default setting.
By default, the mandatory web server is not configured.
This command is supported only on the NetEngine 8000 F1A.
Format
web-server redirect-key mscg-ip mscg-ip-key
web-server redirect-key mscg-name mscg-name-key
web-server redirect-key user-location user-location-key
web-server redirect-key user-ip-address user-ip-key
web-server redirect-key nas-logic-sysname nas-logic-sysname-key
web-server redirect-key user-mac-address user-mac-address [ simple [ type1 ] | cipher { aes128 [ cbc | gcm ] | des } ]
web-server redirect-key agent-remote-id agent-remote-id-key
web-server redirect-key ssid ssid-key
web-server redirect-key ap-mac-address ap-mac-key [ simple [ type1 ] | cipher { aes128 [ cbc | gcm ] | des } ]
web-server redirect-key subscription-id subscription-id
undo web-server [ redirect-key ]
undo web-server redirect-key mscg-ip
undo web-server redirect-key user-mac-address
undo web-server redirect-key mscg-name
undo web-server redirect-key user-location
undo web-server redirect-key user-ip-address
undo web-server redirect-key nas-logic-sysname
undo web-server redirect-key agent-remote-id
undo web-server redirect-key ssid
undo web-server redirect-key ap-mac-address
undo web-server redirect-key user-mac-address user-mac-address cipher { aes128 [ cbc | gcm ] | des }
undo web-server redirect-key ap-mac-address ap-mac-key cipher { aes128 [ cbc | gcm ] | des }
undo web-server redirect-key subscription-id [ subscription-id ]
Parameters
| Parameter | Description | Value |
|---|---|---|
| redirect-key |
Specifies the keyword of the customized Portal attribute. The keyword will be added to the redirection packet sent to a user. It is used to identify the corresponding attribute. |
- |
| mscg-name mscg-name-key |
Specifies the keyword of the BRAS name for users' login. The BRAS name can be configured using the nas-serial command in the AAA view. For example, the BRAS name configured using the nas-serial command is abcd, the keyword of the BRAS name configured using the web-server redirect-key mscg-name mscg-name-key command is bras, and the redirection URL for mandatory web authentication is http://www.isp1.com. Then, the URL for mandatory web authentication is http://www.isp1.com?bras=abcd. |
The value is a string of 1 to 32 characters. |
| user-location user-location-key |
Specifies the keyword of physical location information. |
The value is a string of 1 to 32 characters. |
| user-ip-address user-ip-key |
Specifies the keyword of the user IP address. |
The value is a string of 1 to 32 characters. |
| nas-logic-sysname nas-logic-sysname-key |
Specifies the logical host name. |
The value is a string of 1 to 32 characters. |
| user-mac-address user-mac-address |
Specifies the keyword of the user's MAC address. |
The value is a string of 1 to 32 characters. |
| simple |
Specifies the keyword of the MAC address in simple text. |
- |
| type1 |
Specifies type1 so that the MAC address is displayed in the format of xx:xx:xx:xx:xx:xx. By default, the MAC address is displayed in the format of xx-xx-xx-xx-xx-xx. |
- |
| cipher |
Specifies the encryption mode. |
- |
| aes128 |
Specifies the keyword of the AP MAC address to be encrypted in AES128 mode and to be transmitted in ciphertext. |
- |
| cbc |
Specifies the keyword to be encrypted in CBC mode. |
- |
| gcm |
Indicates that the MAC address carried in redirection packets is encrypted in AES128 and GCM mode and to be transmitted in ciphertext. |
- |
| des |
Specifies that the user MAC address carried in redirection packets is encapsulated using the DES algorithm. The DES mode is insecure. Therefore, the GCM mode in AES128 mode is recommended. |
- |
| agent-remote-id agent-remote-id-key |
Specifies the keyword of the agent remote id . |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| ssid ssid-key |
Specifies the keyword of the ssid. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| ap-mac-address ap-mac-key |
Specifies the keyword of the AP MAC address. |
The value is a string of 1 to 32 characters. |
| subscription-id subscription-id |
Specifies the keyword of the subscription-id attribute. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| mscg-ip mscg-ip-key |
Specifies the keyword of the IP address of the BRAS. If a source interface on the BRAS to the web server is specified using the web-auth-server source command in the system view, mscg-ip is the IP address of the outbound interface. If no source interface is specified, mscg-ip is the IP address of the outbound interface of the route to the network segment of the IP address of the web server in the routing table of the BRAS. For example, the keyword of the IP address of the BRAS is brasip, the source IP address is 10.0.0.1, and the redirection URL for mandatory web authentication is http://www.isp1.com. Then, the URL for mandatory web authentication is http://http://www.isp1.com?brasip=10.0.0.1. |
The value is a string of 1 to 32 characters. |
Usage Guidelines
Usage Scenario
Mandatory web authentication is a function that enables the to redirect the access request of a user to the web server when a user accesses an unauthorized address before being authenticated, facilitating user authentication.
If a customized Portal attribute is configured, after the receives a user packet that needs to be redirected, the adds the keyword and corresponding attribute to the string of the redirection URL in the redirection packet and sends the packet to the user. After receiving this redirection packet, the user accesses the web server. The access packet carries the device IP address, user IP address, user's physical location information, and corresponding keyword. The forwards the packet to the web server. The web server parses the packet based on the keyword and pops up the request homepage to the user based on the user information in the packet. If homepage popup is configured and the web server support this function, when the user passes the web authentication, the web server refreshes the web page being browsing by the user to the homepage requested by the user before authentication. The user does not need to type this homepage again. If homepage popup is configured, when the user passes the web authentication, the user is forcibly redirected to the Portal page. To access the requested homepage, the user needs to type this homepage again. If the mandatory web server is different from the web authentication server, the cannot identify whether the mandatory web server is Up or Down, but can identify whether the web authentication server is Up or Down. To enable the to identify whether the mandatory Web server is Up or Down based on the status of the web authentication server, you can run the web-server { <ip-address>| url <url> } [ bind web-auth-server <ip-address> [ vpn-instance <vpn-instance> ] ]command to bind the mandatory web server to the web authentication server. If there are two web authentication servers in active/standby mode, after the mandatory web server is bound to the web authentication server, you can run the web-server { <ip-address>| url <url> } [ bind web-auth-server <ip-address> [ vpn-instance <vpn-instance> ] ] slave command to configure the standby mandatory web server. To enable the device to add the Option 82 information delivered through the subscription-id sub-attribute of the hw-avpair (26-188) attribute to the URL string in a redirection packet to be sent to a user, run the web-server redirect-key subscription-id [subscription-id] command. NOTE:- The web-server redirect-key subscription-id [subscription-id] and web-server redirect-key agent-remote-id agent-remote-id commands are mutually exclusive.
- The Option 82 information added to the URL string in a web redirection packet takes effect only after the web-server redirect-key subscription-id [subscription-id] command is run and the RADIUS-delivered attribute value of the subscription-id sub-attribute is not empty.
Precautions
This command is supported only on the admin VS.
- When you run the web-server command in the AAA domain view, check whether the web authentication server to which the active/standby server in IP mode is the same as that in URL mode. If they are different, you cannot run the web-server command.
- The active web server must be different from the standby Web server.
- To delete the web authentication server, you must remove the binding of the web authentication server.
- You must bind the web authentication server in the system view; otherwise, the binding fails.
- If the web-auth-server source interface command is not run in the system view, run the web-server redirect-key mscg-ip command and the web-server command in the AAA domain view. In this way, a source interface's route can be used as a customized parameter of this source interface when an IPv6 user switches between the authentication domain and pre-authentication domain.
- When users are forcibly redirected to the web server, if you do not want the actual user MAC address or AP MAC address to be displayed, run the web-server redirect-key command with cipher configured. Then the user MAC address or AP MAC address is displayed in ciphertext. shared-key or shared-key-cipher in the web-server url-parameter { shared-key | shared-key-cipher } command is used to generate the ciphertext user MAC address or AP MAC address to be displayed.The default encryption mode for the keywords of user MAC and AP MAC addresses is AES-GCM-128. If you want the device to use the DES encryption mode, specify the des keyword in the web-server redirect-key command,AES-GCM-128 is recommended, because DES is insecure.
- If the web-server redirect-key user-mac-address <user-mac-address> [ cipher { aes128 [ cbc | gcm ] | des } ] command, instead of the web-server url-parameter{ shared-key [ <shared-key>] | shared-key-cipher [ <shared-key-cipher> ] } command, is run in the AAA domain view, redirection packets do not carry user MAC addresses.
- If the web-server redirect-key ap-mac-address <ap-mac-key> [ cipher { aes128 [ cbc | gcm ] | des } ] command, instead of the web-server url-parameter{ shared-key [ <shared-key>] | shared-key-cipher [ <shared-key-cipher> ] } command, is run in the AAA domain view, redirection packets do not carry AP-MAC addresses.
- Specifies that only the first eight bytes of shared-key-cipher configured in web-server url-parameter{ shared-key [ <shared-key>] | shared-key-cipher [ <shared-key-cipher> ] } are used as the key for MAC address encryption when the DES algorithm is used.
Example
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] domain huawei [*HUAWEI-aaa-domain-huawei] commit [*HUAWEI-aaa-domain-huawei] web-server redirect-key ssid wlan [*HUAWEI-aaa-domain-huawei] web-server redirect-key agent-remote-id remoteid
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] domain huawei [*HUAWEI-aaa-domain-huawei] commit [*HUAWEI-aaa-domain-huawei] web-server redirect-key subscription-id aaa
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] domain huawei [*HUAWEI-aaa-domain-huawei] commit [*HUAWEI-aaa-domain-huawei] web-server redirect-key user-mac-address eee cipher aes128 cbc
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] domain huawei [*HUAWEI-aaa-domain-huawei] commit [*HUAWEI-aaa-domain-huawei] web-server redirect-key mscg-name mscgname
<HUAWEI> system-view [~HUAWEI] aaa [~HUAWEI-aaa] domain huawei [*HUAWEI-aaa-domain-huawei] commit [*HUAWEI-aaa-domain-huawei] web-server redirect-key mscg-ip mscgip [*HUAWEI-aaa-domain-huawei] web-server redirect-key user-ip-address userip [*HUAWEI-aaa-domain-huawei] web-server redirect-key user-location userlocation [*HUAWEI-aaa-domain-huawei] web-server redirect-key user-mac-address usermac