299
• You can enable both direct/cross-subnet portal authentication and 802.1X authentication on a
Layer 3 interface, and a user can access the network after passing either authentication. If you
enable both 802.1X authentication and re-DHCP portal authentication on a Layer 3 interface,
portal authentication will fail. For information about 802.1X, see "Configuring 802.1X."
• The destination port number that the access device uses for sending unsolicited packets to the
portal server must be the same as the port number that the remote portal server actually uses.
• The portal server and its parameters can be deleted or modified only when the portal server is
not referenced by any interface.
• Cross-subnet authentication mode (portal server server-name method layer3) does not
require Layer 3 forwarding devices between the access device and the authentication clients.
However, if Layer 3 forwarding devices exist between the authentication client and the access
device, you must select the cross-subnet portal authentication mode.
• In re-DHCP authentication mode, a client can use a public IP address to send packets before
passing portal authentication. However, responses to the packets are restricted.
Configuration prerequisites
Before enabling Layer 3 portal authentication on an interface, make sure the following requirements
are met:
• An IP address is configured for the interface.
• The interface is not added to any port aggregation group.
• The portal server to be referenced on the interface exists.
• Layer 2 portal authentication is not enabled on any ports.
Configuration procedure
To enable Layer 3 portal authentication:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
The interface must be a Layer 3
Ethernet interface.
3. Enable Layer 3 portal
authentication on the
interface.
portal
server
server-name
method
{
direct
|
layer3
|
redhcp
}
Not enabled by default.
Controlling access of portal users
Configuring a portal-free rule
A portal-free rule allows specified users to access specified external websites without portal
authentication.
The matching items for a portal-free rule include the source and destination IP address, source MAC
address, inbound interface, and VLAN. Packets matching a portal-free rule will not trigger portal
authentication, so users sending the packets can directly access the specified external websites.
For Layer 2 portal authentication, you can configure only a portal-free rule that is from any source
address to any or a specific destination address. If you configure a portal-free rule that is from any
source address to a specific destination address, users can access the specified address directly,
without being redirected to the portal authentication page for portal authentication. Usually, you can
configure the IP address of a server that provides certain services (such as software upgrading
service) as the destination IP address of a portal-free rule, so that Layer 2 portal authentication users
can access the services without portal authentication.
To Next Page
Loading...
Need help?
General
