127
Configuring Layer 2 portal authentication to support web proxy
By default, proxied HTTP requests cannot trigger Layer 2 portal authentication but are silently dropped.
To allow such HTTP requests to trigger portal authentication, configure the port numbers of the web proxy
servers on the device.
Follow these steps to configure Layer 2 portal authentication to support a web proxy:
To do… Use the command…
Remarks
Enter system view system-view —
Add a web proxy
server port number
portal web-proxy port
port-number
Required
By default, no web proxy server port number is
configured and proxied HTTP requests cannot
trigger portal authentication.
NOTE:
• If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover web proxy servers,
add the port numbers of the web proxy servers on the device, and configure portal-free rules to allow
user packets destined for the IP address of the WPAD server to pass without authentication.
• You must add the port numbers of the web proxy servers on the device and users must make sure that
their browsers that use a web proxy server do not use the proxy server for the listenin
IP address of the
local portal server. Thus, HTTP packets that the portal user sends to the local portal server are not sent to
the web proxy server.
Enabling support for portal user moving
NOTE:
Only Layer 2 portal authentication supports this feature.
In scenarios where there are hubs, Layer 2 switches, or APs between users and the access devices, if an
authenticated user moves from the current access port to another Layer 2-portal-authentication-enabled
port of the device without logging off, the user cannot get online when the original port is still up. The
reason is that the original port is still maintaining the authentication information of the user and the
device does not permit such a user to get online from another port by default.
To solve the problem described above, enable support for portal user moving on the device. Then, when
a user moves from a port of the device to another, the device provides services in either of the following
ways:
• If the original port is still up and the two ports belong to the same VLAN, the device allows the user
to continue to access the network without re-authentication, and uses the new port information for
user accounting.
• If the original port is down or the two ports belong to different VLANs, the device removes the
authentication information of the user from the original port and authenticates the user on the new
port.
Follow these steps to enable support for portal user moving:
To do… Use the command…
Remarks
Enter system view system-view —
To Next Page
Loading...
