No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAC Configuration Commands

NAC Configuration Commands

access-user arp-detect

Function

The access-user arp-detect command sets the source IP address and source MAC address of offline detection packets in a VLAN.

The undo access-user arp-detect command deletes the source IP address and source MAC address of offline detection packets in a VLAN.

By default, the source IP address and source MAC address are not specified for offline detection packets in a VLAN.

Format

access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

undo access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address

Parameters

Parameter

Description

Value

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

ip-address ip-address

Specifies the source IP address of offline detection packets.

The value is in dotted decimal notation.

mac-address mac-address

Specifies the source MAC address of offline detection packets.

The value is a unicast MAC address in H-H-H format, where H can be one to four hexadecimal digits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device sends an ARP probe packet to check the user online status. If the user does not respond within a detection period, the device considers that the user is offline.

If the VLAN to which the user belongs does not have a VLANIF interface or the VLANIF interface does not have an IP address, the device sends an offline detection packet using 255.255.255.255 as the source IP address. If a user cannot respond to an ARP probe packet with the source IP address 255.255.255.255, you can specify a source IP address for the offline detection packet. You are advised to specify the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets.

Precautions

This function does not take effect for users who use Layer 3 Portal authentication.

You can set source addresses of offline detection packets for users in a maximum of 1024 VLANs.

If a user on a physical interface is online, this command takes effect only after the user goes online again or the device re-authenticates the user.

Example

# Set the source IP address and MAC address of offline detection packets for users in VLAN 10 to 192.168.1.1 and 2222-1111-1234 respectively.

<Huawei> system-view
[Huawei] access-user arp-detect vlan 10 ip-address 192.168.1.1 mac-address 2222-1111-1234
Related Topics

access-user acl-priviledge-revert

Function

The access-user acl-priviledge-revert command configures the device to match packets with ACL rules in ascending order by rule IDs. That is, a smaller rule ID indicates a higher priority of the rule.

The undo access-user acl-priviledge-revert command restores the default matching sequence for ACL rules.

By default, the device matches packets with ACL rules in descending order by rule IDs. That is, a larger rule ID indicates a higher priority of the rule.

Format

access-user acl-priviledge-revert

undo access-user acl-priviledge-revert

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device matches packets with ACL rules in descending order by rule IDs. You can use the access-user acl-priviledge-revert command to configure the device to match packets with ACL rules in ascending order by rule IDs.

Precautions

The configuration takes effect only after the device is restarted.

Example

# Configure the device to match packets with ACL rules in ascending order by rule IDs.

<Huawei> system-view
[Huawei] access-user acl-priviledge-revert

acl-id (user group view)

Function

The acl-id command binds an ACL to a user group.

The undo acl-id command unbinds an ACL from a user group.

By default, no ACL is bound to a user group.

Format

acl-id acl-number

undo acl-id acl-number

Parameters

Parameter Description Value
acl-number Specifies the number of an ACL bound to a user group. The value is an integer that ranges from 3000 to 3999.

Views

User group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a user group is created using the user-group command, you can run the acl-id acl-number command to bind an ACL to the user group, so that users in the user group share an ACL.

Prerequisites

An ACL must have been created using the acl (system view) or acl name command.

Precautions
  • If a user group contains online users, the ACL bound to the user group cannot be modified or deleted in the system view.
  • If no ACL rule is configured for a user group, the device does not restrict the network access rights of users in the user group.

  • When configuring ACL rules in a user group, create a rule that rejects all network access requests and ensure that the rule can take effect.

  • If all users in a group are required to have the same access rights, do not specify the source IP address in the ACL bound to the user group. If an ACL bound to a user group has defined the source IP address, only users with the same IP address as the source IP address in the ACL can match the ACL in the user group.

Example

# Bind ACL 3001 to the user group abc.

<Huawei> system-view
[Huawei] acl 3001
[Huawei-acl-adv-3001] rule 5 deny ip destination 192.168.5.0 0.0.0.255
[Huawei-acl-adv-3001] quit
[Huawei] user-group abc
[Huawei-user-group-abc] acl-id 3001
Related Topics

authentication guest-vlan

Function

The authentication guest-vlan command configures a guest VLAN on an interface.

The undo authentication guest-vlan command deletes a guest VLAN from an interface.

By default, no guest VLAN is configured on an interface.

Format

In the system view:

authentication guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo authentication guest-vlan [ vlan-id ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

authentication guest-vlan vlan-id

undo authentication guest-vlan [ vlan-id ]

Parameters

Parameter

Description

Value

vlan-id

Specifies the ID of a guest VLAN.

The value is an integer that ranges from 1 to 4094.

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number1 specifies the number of the first interface.
  • interface-number2 specifies the number of the last interface.

-

Views

System view, Ethernet interface view, GE interface view, WLAN-ESS interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During 802.1x authentication, a guest VLAN allows users to access limited resources without authentication. The device supports the guest VLAN function.

Users in the guest VLAN can access resources in the guest VLAN without authentication but must be authenticated when they access external resources.

NOTE:
  • The restrict VLAN is for the users who fail the authentication, while the guest VLAN is for the users who are not authenticated.

  • If only a guest VLAN is configured but no restrict VLAN is configured, the users who fail the authentication are added to the guest VLAN.

Prerequisites

The VLAN to be configured as the guest VLAN must have been created.

802.1x authentication has been enabled globally and on the interface using the dot1x enable command.

Precautions

  • The guest VLAN function can take effect only in 802.1x authentication.
  • A super VLAN cannot be configured as a guest VLAN.
  • If the authentication function of the built-in Portal server is enabled, the guest VLAN cannot be configured on interfaces.
  • The guest VLAN function takes effect only when a user sends untagged packets to the device.
  • Different interfaces can be configured with different guest VLANs. After a guest VLAN is configured on an interface, the guest VLAN cannot be deleted.
  • To make the VLAN authorization function take effect, the link type and access control mode of the authentication interface must meet the following requirements:
    • When the link type is hybrid in untagged mode, the access control mode can be based on the MAC address or interface.
    • When the link type is access or trunk, the access control mode can only be based on the interface.

Example

# In the system view, configure 802.1x authentication for the users using Port-based access method on Eth0/0/1 and set the guest VLAN to VLAN 20.
<Huawei> system-view
[Huawei] vlan batch 20
[Huawei] dot1x enable
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] port link-type hybrid
[Huawei-Ethernet0/0/1] quit
[Huawei] dot1x enable interface ethernet 0/0/1
[Huawei] dot1x port-method port interface ethernet 0/0/1
[Huawei] authentication guest-vlan 20 interface ethernet 0/0/1

authentication restrict-vlan

Function

The authentication restrict-vlan command configures a restrict VLAN on an interface.

The undo authentication restrict-vlan command deletes the restrict VLAN from an interface.

By default, no restrict VLAN is configured on an interface.

Format

In the system view:

authentication restrict-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo authentication restrict-vlan [ vlan-id ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

authentication restrict-vlan vlan-id

undo authentication restrict-vlan [ vlan-id ]

Parameters

Parameter

Description

Value

vlan-id

Specifies the ID of a restrict VLAN.

The value is an integer that ranges from 1 to 4094.

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number1 specifies the number of the first interface.
  • interface-number2 specifies the number of the last interface.

-

Views

System view, Ethernet interface view, GE interface view, WLAN-ESS interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure the restrict VLAN on the device interface, so that the users can still access some network resources (for example, update the virus library) when the users fail the authentication. The users who fail the authentication are added to the restrict VLAN to access the resources in the restrict VLAN. Note that, the user fails the authentication because the authentication server rejects the user for some reasons, for example, the user enters an incorrect user password, not because the authentication times out or the network is disconnected.

NOTE:
  • The restrict VLAN is for the users who fail the authentication, while the guest VLAN is for the users who are not authenticated.

  • If only a guest VLAN is configured but no restrict VLAN is configured, the users who fail the authentication are added to the guest VLAN.

Prerequisites

The VLAN to be configured as the restrict VLAN must have been created.

802.1x authentication has been enabled globally and on the interface using the dot1x enable command.

Precautions

  • A super VLAN cannot be configured as a restrict VLAN.
  • If the authentication function of the built-in Portal server is enabled, the restrict VLAN cannot be configured on interfaces.
  • The restrict VLAN function takes effect only when a user sends untagged packets to the device.
  • After a restrict VLAN is configured on an interface, the restrict VLAN cannot be deleted.
  • To make the VLAN authorization function take effect, the link type and access control mode of the authentication interface must meet the following requirements:
    • When the link type is hybrid in untagged mode, the access control mode can be based on the MAC address or interface.
    • When the link type is access or trunk, the access control mode can only be based on the interface.

Example

# In the system view, configure 802.1x authentication for the users using Port-based access method on Eth0/0/1 and set the restrict VLAN to VLAN 20.

<Huawei> system-view
[Huawei] vlan batch 20
[Huawei] dot1x enable
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] port link-type hybrid
[Huawei-Ethernet0/0/1] quit
[Huawei] dot1x enable interface ethernet 0/0/1
[Huawei] dot1x port-method port interface ethernet 0/0/1
[Huawei] authentication restrict-vlan 20 interface ethernet 0/0/1

authentication restrict-vlan fail-times

Function

The authentication restrict-vlan fail-times command sets the maximum number of a user's authentication failures before the user is added to the restrict VLAN.

The undo authentication restrict-vlan fail-times command restores the default setting.

By default, the maximum number of authentication failures before the user is added to the restrict VLAN is 3.

Format

authentication restrict-vlan fail-times fail-times

undo authentication restrict-vlan fail-times

Parameters

Parameter

Description

Value

fail-times

Specifies the maximum number of authentication failures before the user is added to the restrict VLAN.

The value is an integer that ranges from 1 to 255. The default value is 3.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The authentication restrict-vlan fail-times command must be used with the authentication restrict-vlan command.

After the restrict VLAN is configured on the interface using the authentication restrict-vlan command, the user who fails the authentication is added to the restrict VLAN. The maximum number of authentication failures before the user is added to the restrict VLAN is configured using the authentication restrict-vlan fail-times command. The user is added to the restrict VLAN only after the consecutive authentication failures reach the maximum number.

Prerequisites

802.1x authentication has been enabled globally and on the interface using the dot1x enable command.

Example

# Set the maximum number of authentication failures before the user is added to the restrict VLAN to 4.

<Huawei> system-view
[Huawei] authentication restrict-vlan fail-times 4

authentication speed-limit auto

Function

The authentication speed-limit auto command enables the device to dynamically adjust the rate of packets from NAC users.

The undo authentication speed-limit auto command disables the device from dynamically adjusting the rate of packets from NAC users.

By default, the device does not dynamically adjust the rate of packets from NAC users.

Format

authentication speed-limit auto

undo authentication speed-limit auto

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a lot of NAC users send authentication or log off requests to the device, the CPU usage may be overloaded especially when the CPU or memory usage is already high (for example, above 80%).

After this command is executed, the device limits the number of NAC packets received per second if the CPU or memory usage is high. This function reduces loads on the device CPU.

Example

# Enable the device to dynamically adjust the rate of packets from NAC users.

<Huawei> system-view
[Huawei] authentication speed-limit auto

cut access-user user-group

Function

The cut access-user user-group command disconnects all users in a specified user group.

Format

cut access-user user-group group-name

Parameters

Parameter Description Value
group-name Specifies the name of a user group. The value is a string of 1 to 64 case-sensitive characters without spaces.

Views

AAA view

Default Level

3: Management level

Usage Guidelines

The administrator can run the cut access-user user-group command to disconnect all users in a user group.

If there are online users in a user group that needs to be deleted, the cut access-user user-group command is run to disconnect all users in the user group first. After that, the undo user-group command is run to delete the user group.

Example

# Disconnect all users in the user group test1.

<Huawei> system
[Huawei] aaa
[Huawei-aaa] cut access-user user-group test1
Related Topics

cut web-authentication-user

Function

The cut web-authentication-user command configures the device to force Portal authentication users offline when a 3G/LTE link is disconnected.

The undo cut web-authentication-user command configures the device not to force Portal authentication users offline when a 3G/LTE link is disconnected.

By default, the Portal authentication users are still online when the 3G/LTE link is disconnected.

Format

cut web-authentication-user [ domain domain-name | ssid ssid ]

undo cut web-authentication-user

Parameters

Parameter

Description

Value

domain domain-name

Specifies the domain name used in Portal authentication.

After this parameter is specified, the device forcibly disconnects the users who use this domain name to go online when the 3G/LTE link is disconnected.

The value must be an existing domain name.

ssid ssid

Specifies the service set identifier (SSID) of the wireless network.

After this parameter is specified, the device forcibly disconnects the users who connect to this wireless network when the 3G/LTE link is disconnected.

The value must be an existing SSID.

Views

Cellular interface view

Default Level

2: Configuration level

Usage Guidelines

When the router functioning as a mobile Internet gateway is deployed on a bus or metro, only the users who pass Portal authentication can connect to the vehicle-mounted Wi-Fi network and access external networks using the 3G/LTE interface. After the 3G/LTE link is disconnected, the users are not disconnected in real time while they cannot access any web page immediately. This had a negative effect on user experience.

After you run the cut web-authentication-user command on the 3G/LTE interface, the device forces Portal authentication users offline when the 3G/LTE link is disconnected. The disconnected users can still access internal network resources of the router, so they can have good user experience.

NOTE:

Currently, only the AR510 series routers can function as mobile Internet gateways.

Example

# Configure the device to forcibly disconnect the users who connect to the wireless network bus-wlan when the 3G/LTE link is disconnected.

<Huawei> system-view
[Huawei] interface cellular 0/0/0
[Huawei-Cellular0/0/0] cut web-authentication-user ssid bus-wlan

display access-user user-group

Function

The display access-user user-group command displays information about online users in a user group.

Format

display access-user user-group group-name

Parameters

Parameter Description Value
group-name Displays brief information about online users bound to a specified user group. The value is a string of 1 to 64 case-sensitive characters without spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When checking the configuration of a user group, you can run the display access-user user-group command to check brief information about online users bound to the user group. You can locate network faults according to the command output.

Example

# Display brief information about online users bound to the user group test1.

<Huawei> display access-user user-group test1  
-------------------------------------------------------------------------------
 UserID Username                       IP address                   MAC  
 ------------------------------------------------------------------------------
 16016  1@radius                       9.8.7.5                   0011-0904-2f61 
 ------------------------------------------------------------------------------
 Total 1,1 printed
Table 14-30  Description of the display access-user user-group command output

Item

Description

UserID

ID of a user bound to the user group.

Username

Name of the user.

IP address

IP address of the user.

MAC

MAC address of the user.

display dot1x

Function

The display dot1x command displays 802.1x authentication information.

Format

display dot1x [ statistics ] [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

Parameters

Parameter

Description

Value

statistics

Displays statistics on 802.1x authentication.

The statistics about 802.1x authentication is displayed only when this parameter is specified.

-

interface { interface-type interface-number1 [ to interface-number2 ] }

Displays 802.1x authentication information on a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

802.1x authentication information on all device interfaces is displayed if this parameter is not specified.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display dot1x command to view configuration results of all configuration commands in 802.1x authentication and statistics about 802.1x packets.

The command output helps you to check whether the current 802.1x authentication configuration is correct and isolate faults accordingly.

Follow-up Procedure

The display dot1x command displays the statistics on 802.1x packets. You can locate the fault according to the packet statistics. When the fault is rectified, run the reset dot1x statistics command to clear the packet statistics. After a period of time, run the display dot1x command again to check the packet statistics. If no error packet is found, the fault is rectified.

Example

# Display 802.1x authentication information.

<Huawei> display dot1x
  Global 802.1x is Enabled
  Authentication method is CHAP
  Max users: 1024
  Current users: 0
  DHCP-trigger is Disabled
  Handshake is Enabled
  Quiet function is Disabled
  Parameter set:Handshake Period    15s   Reauthen Period   3600s
                Client Timeout      30s   Server Timeout      30s
                Quiet Period        60s   Quiet-times          3

 Ethernet0/0/1 status: UP  802.1x protocol is Enabled[mac-bypass]
  Port control type is Auto
  Authentication mode is MAC-based
  Authentication method is EAP
  Reauthentication is disabled
  Maximum users: 1024
  Current users: 0
  Guest VLAN is disabled
  Restrict VLAN is disabled               

  Authentication Success: 0          Failure: 0
  EAPOL Packets: TX     : 0          RX     : 0
  Sent      EAPOL Request/Identity Packets  : 0
            EAPOL Request/Challenge Packets : 0
            Multicast Trigger Packets       : 0
            EAPOL Success Packets           : 0
            EAPOL Failure Packets           : 0
  Received  EAPOL Start Packets             : 0
            EAPOL Logoff Packets            : 0
            EAPOL Response/Identity Packets : 0
            EAPOL Response/Challenge Packets: 0 
Table 14-31  Description of the display dot1x command output

Item

Description

Global 802.1x is Enabled

802.1x authentication is enabled globally.

To enable 802.1x authentication, run the dot1x enable command.

Authentication method is CHAP

CHAP authentication is enabled. The authentication methods include EAP, CHAP, and PAP

To enable CHAP authentication, run the dot1x authentication-method command.

Max users

Maximum number of global online users.

To set the maximum number of global online users, run the dot1x max-user command.

Current users

Number of current online users.

DHCP-trigger is Disabled

Authentication triggering through DHCP packets is disabled.

To trigger authentication using DHCP packets, run the dot1x dhcp-trigger command.

Handshake is Enabled

The handshake function is enabled for online users.

To enable the handshake function, run the dot1x handshake command.

Quiet function is Disabled

The quiet function is enabled for users.

To enable the quiet function function, run the dot1x quiet-period command.

Parameter set

Settings of 802.1x authentication parameters.

Handshake Period

Handshake interval.

To set the handshake interval, run the dot1x timer command.

Reauthen Period

Re-authentication interval.

To set the re-authentication interval, run the dot1x timer command.

Client Timeout

Timeout interval of a client.

To set the timeout interval of a client, run the dot1x timer command.

Server Timeout

Timeout interval of the authentication server.

To set the timeout interval of the authentication server, run the dot1x timer command.

Quiet Period

Value of the quiet timer.

To set the value of the quiet timer, run the dot1x timer command.

Quiet-times

Maximum number of authentication failures before an 802.1x user enters the quiet state.

To set the maximum number of authentication failures, run the dot1x quiet-times command.

Ethernet0/0/1 state

State of an interface.

  • UP: The interface is started.
  • DOWN: The interface is shut down.

802.1x protocol is Enabled[mac-bypass]

802.1x authentication is enabled on the interface. To enable 802.1x authentication, run the dot1x enable command.

To configure MAC address bypass authentication, run the dot1x mac-bypass command. If MAC address bypass authentication is configured, [mac-bypass] is displayed.

Port control type is Auto

The control mode on the interface is auto for 802.1x authentication user access. The access control modes include auto, authorized-force, and unauthorized-force.

To set the control mode, run the dot1x port-control command.

Authentication mode is MAC-based

The MAC address-based authentication method is used on the interface.

To set the authentication method on the interface, run the dot1x port-method command.

Reauthentication is disabled

802.1x user re-authentication is disabled on the interface.

To enable 802.1x user re-authentication, run the dot1x reauthenticate command.

Maximum users

Maximum number of online users on the interface.

To set the maximum number of online users on the interface, run the dot1x max-user command.

Current users

Number of current online users on the interface.

Guest VLAN is disabled

The guest VLAN function is disabled on the interface.

To enable the guest VLAN function, run the authentication guest-vlan command.

Restrict VLAN is disabled

The restrict VLAN function is disabled on the interface.

To enable the restrict VLAN function, run the authentication restrict-vlan command.

Authentication Success Failure

Number of successful and failed authentications.

The statistics include statistics on online 802.1x users but not on the users using MAC address bypass authentication.

EAPOL Packets: TX RX

Number of globally received and sent EAPOL packets.

EAPOL Request/Identity Packets

Number of globally received and sent EAPOL Request/Identity packets.

EAPOL Request/Challenge Packets

Number of globally received and sent EAPOL Request/Challenge packets.

Multicast Trigger Packets

Number of received and sent multicast packets that trigger authentication.

EAPOL Success Packets

Number of globally received and sent EAPOL Success packets.

EAPOL Failure Packets

Number of globally received and sent EAPOL Failure packets.

EAPOL Start Packets

Number of globally received and sent EAPOL Start packets.

EAPOL Logoff Packets

Number of globally received and sent EAPOL LogOff packets.

EAPOL Response/Identity Packets

Number of globally sent and received EAPOL Response/Identity packets.

EAPOL Response/Challenge Packets

Number of globally sent and received EAPOL Response/Challenge packets.

display mac-address authen/display mac-address guest

Function

The display mac-address authen command displays the current authen MAC address entries in the system.

The display mac-address guest command displays the current guest MAC address entries in the system.

Format

display mac-address { authen | guest } [ interface-type interface-number | vlan vlan-id ]

Parameters

Parameter Description Value
vlan vlan-id

Displays MAC address entries in a specified VLAN.

If no VLAN is specified, MAC address entries in all VLANs of the device are displayed.

The value is an integer that ranges from 1 to 4094.
interface-type interface-number

Displays MAC address entries on a specified interface.

If no interface is specified, MAC address entries on all interfaces of the device are displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The administrator can run this command to check the existing authen or guest MAC address entries on the device. The administrator can check information about user access based on these MAC address entries to locate user access faults.
  • authen: MAC address entries that are generated for pre-connection users or after users pass authentication.
  • guest: MAC address entries that are generated when users fail authentication and are added to a guest VLAN.

Precautions

If there are a lot of authen or guest MAC address entries, you can specify a VLAN or use a pipe operator (|) to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is refreshed repeatedly on the terminal screen and the administrator cannot obtain the required information.

  • The device traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all authen MAC address entries in the system.

<Huawei> display mac-address authen
-------------------------------------------------------------------------------  
MAC Address    VLAN/VSI                          Learned-From        Type        
-------------------------------------------------------------------------------
0000-0000-0100 3000                              Eth0/0/1            authen
0000-0000-0400 3000                              Eth0/0/1            authen
0000-0000-0200 3000                              Eth0/0/1            authen
-------------------------------------------------------------------------------  
Total items displayed = 3                     
# Display all guest MAC address entries in the system.
<Huawei> display mac-address guest
-------------------------------------------------------------------------------  
MAC Address    VLAN/VSI                          Learned-From        Type        
-------------------------------------------------------------------------------
0000-0000-0100 3000                              Eth0/0/1            guest
0000-0000-0400 3000                              Eth0/0/1            guest
0000-0000-0200 3000                              Eth0/0/1            guest
-------------------------------------------------------------------------------  
Total items displayed = 3                     
Table 14-32  Description of the display mac-address authen/display mac-address guest command output

Item

Description

MAC Address

MAC address of a user to be authenticated.

VLAN/VSI

VLAN or VSI that the outbound interface belongs to.

Learned-From

Interface on which a MAC address is learned.

Type

Type of MAC addresses.

Total items displayed

Total number of MAC address entries that match the filter condition.

display mac-authen

Function

The display mac-authen command displays information about MAC address authentication.

Format

display mac-authen [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Displays information about MAC address authentication on a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

MAC address authentication information on all device interfaces is displayed if this parameter is not specified.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display mac-authen command to view configuration results of all configuration commands in MAC address authentication. The command output helps you to check whether the MAC address authentication configuration is correct and isolate faults accordingly.

Follow-up Procedure

You can locate the fault according to the packet statistics that is displayed using the display mac-authen command. When the fault is rectified, run the reset mac-authen statistics command to clear the packet statistics. After a period of time, run the display mac-authen command again to check the packet statistics. If no error packet is found, the fault is rectified.

Example

# View all information about MAC address authentication.

<Huawei> display mac-authen
  MAC address authentication is Enabled.
  Username format: use MAC address without-hyphen as username
  Quiet period is 60s                                                     
  Authentication fail times before quiet is 1
  Offline detect period is 300s                                           
  Server response timeout value is 30s                                    
  Reauthenticate period is 3600s
  Guest user reauthenticate period is 60s                          
  Maximum users: 100
  Current users: 2                                                
  Global domain is not configured                                        
                                                                                
 Ethernet0/0/1 state : UP. MAC address authentication is enabled                                        
  Reauthentication is enabled                                                   
  Reauthen Period: 1000s                                                        
  Maximum users: 100                                                           
  Current users: 0                                                              
  Authentication Success: 0, Failure: 0                                         
  Guest VLAN is disabled                                                        
  Restrict VLAN is disabled  
Table 14-33  Description of the display mac-authen command output

Item

Description

Mac address authentication is Enabled

MAC address authentication is enabled. To enable MAC address authentication, run the mac-authen command.

Username format: use MAC address without-hyphen as username

The user name is the MAC address without hyphens.

To configure a user name, run the mac-authen username command.

Quiet period

Quiet timer value, during which the user waits for re-authentication after the maximum number of authentication failures is exceeded. The default value of the quiet timer is 60 seconds.

To set the quiet period, run the mac-authen timer command.

Authentication fail times before quiet

Maximum number of authentication failures before a MAC address authentication user enters the quiet state.

Offline detect period

Interval for detecting online users. The timer is used to periodically check whether a user is offline. The default interval is 300 seconds.

To set the interval for detecting online users, run the mac-authen timer command.

Server response timeout value

Timeout interval of a connection with the server. The default timeout interval is 30 seconds.

To set the server response timeout value, run the mac-authen timer command.

Reauthenticate period is 1000s

Interval at which users are re-authenticated. The default interval is 1800 seconds.

To set the re-authentication period, run the mac-authen timer command.

Guest user reauthenticate period is 60s

Interval at which users in a guest VLAN are re-authenticated. The default interval is 60 seconds.

To set the guest VLAN user re-authentication period, run the mac-authen timer command.

Maximum users

Maximum number of online users allowed by the device.

To set the maximum number of MAC address authentication users on an interface, run the mac-authen max-user command.

Current users

Number of current online users.

Global domain

Current authentication domain. By default, no authentication domain is specified for users. If you do not specify any domain for users, the default domain in the system is used.

To configure an authentication domain, run the mac-authen domain command.

Ethernet0/0/1 current state

Interface state.

  • UP: The interface is started.
  • DOWN: The interface is shut down.

MAC address authentication is Enabled

MAC address authentication is enabled on the interface. To enable MAC address authentication, run the mac-authen command.

Reauthentication is enabled

MAC address reauthentication is enabled. To enable the MAC address reauthentication, run the mac-authen reauthenticate command.

Reauthen Period

Interval at which users are re-authenticated. The default interval is 1800 seconds.

Maximum users

Maximum number of MAC address authentication users on the interface.

To set the maximum number of MAC address authentication users on an interface, run the mac-authen max-user command.

Current users

Number of current online users on the interface.

Authentication Success: 0, Failure: 0

Numbers of successful and failed authentications on the interface.

Guest VLAN is disabled

Guest VLAN configured on the interface.

To configure the guest VLAN on an interface, run the authentication guest-vlan command.

Restrict VLAN is disabled

Restrict VLAN configured on the interface.

To configure the restrict VLAN on an interface, run the authentication restrict-vlan command.

display portal

Function

The display portal command displays the Portal authentication configuration.

Format

display portal [ interface interface-type interface-number ]

Parameters

Parameter Description Value
interface interface-type interface-number
Displays Portal authentication configuration on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

Portal authentication configuration in the system view or on all interfaces is displayed if this parameter is not specified.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display portal command to view the Portal authentication configuration and check whether the configuration is correct.

Example

# Display the Portal authentication configuration.

<Huawei> display portal
 Portal timer offline-detect length:300
 Portal max-user number:256 
 Quiet function is Disabled                                                     
 Parameter set: Quiet Period        60s   Quiet-times          3   

# Display the Portal authentication configuration on VLANIF10.

<Huawei> display portal interface vlanif 10
                                                                                
 Vlanif10 protocol status: up, web-auth-server layer2(direct)               
    Portal domain: tsm                                           
    Auth-network:                                              
       10.3.3.3          255.255.255.255                    
       10.8.0.0          255.255.0.0                        
Table 14-34  Description of the display portal command output

Item

Description

Portal timer offline-detect length

Portal authentication user offline detection interval.

To set the user offline detection interval, run the portal timer offline-detect command.

Portal max-user number

Maximum number of concurrent Portal authentication users allowed to access the device.

To set the maximum number of concurrent Portal authentication users allowed to access the device, run the portal max-user command.

Quiet function is Disabled

Whether the quiet function in Portal authentication is enabled.
  • Enabled
  • Disabled

To enable the quiet function, run the portal quiet-period command.

Parameter set

Parameter settings of the quiet function in Portal authentication.
  • Quiet Period: indicates the quite period in Portal authentication. To set the quite period in Portal authentication, run the portal timer quiet-period command.
  • Quiet-times: indicates the maximum number of authentication failures within 60 seconds before a Portal authentication user enters the quiet state. To set the maximum number of authentication failures, run the portal quiet-times command.

Vlanif10 protocol status

Link layer protocol state of the VLANIF interface.

  • up: indicates that the interface is running properly.
  • down: indicates that the interface is disabled.
  • web-auth-server layer2(direct): indicates that the authentication mode is set to Layer 2 Portal authentication on a specified interface.

Portal domain

Name of a forcible Portal authentication domain.

To set a forcible Portal authentication domain, run the portal domain command.

Auth-network

Portal authentication subnet.

To set the Portal authentication subnet, run the portal auth-network command.

display portal free-rule

Function

The display portal free-rule command displays authentication-free rules for Portal authentication users.

Format

display portal free-rule [ rule-id ]

Parameters

Parameter Description Value
rule-id

Displays the ID of an authentication-free rule. If the rule ID is not specified, the configuration of all authentication-free rules is displayed.

The value is an integer that ranges from 0 to 31.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display portal free-rule command shows the configuration of authentication-free rules. You can locate faults according to the command output.

Example

# Display the configuration of authentication-free rules.

<Huawei> display portal free-rule
portal free-rule 0 destination ip 10.1.1.1 mask 255.255.255.255                  
portal free-rule 10 destination ip 10.1.1.2 mask 255.255.255.255                
Total 2 free-rules                                               

# Display the configuration of authentication-free rule 10.

<Huawei> display portal free-rule 10
portal free-rule 10 destination ip 10.1.1.1 mask 255.255.255.255                                              
Related Topics

display portal local-server

Function

The display portal local-server command displays the configurations of a built-in Portal server.

Format

display portal local-server

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After configuring the built-in Portal authentication, run this command to view the configurations of a built-in Portal server.

Example

# Display the configurations of a built-in Portal server.

<Huawei> display portal local-server
 Portal local-server config:                    
  server status            : enable                 
  Heartbeat-check status   : auto    
  Heartbeat-timeout value  : 120(s)     
  server ip                : 10.6.7.1                     
  authentication method    : chap                       
  protocol                 : https 
  https ssl-policy         : 1 
  server port              : 4545        
  session-timeout          : 8(h)  
  server pagename          : abc.zip     
  server page-text         : flash:/page-text.txt
  server policy-text       : flash:/policy.html 
  server background-image  : flash:/bg.png                                       
  server background-color  : #AABBCC                                            
  server logo              : flash:/logo.png                                       
  server ad-image          : flash:/ad.png  
Table 14-35  Description of the display portal local-server command output

Item

Description

server status

Status of a built-in Portal server. To enable the built-in Portal server function, run the portal local-server command.
  • disable: Portal authentication is disabled.
  • enable: Portal authentication is enabled.

Heartbeat-check status

Heartbeat detection status of the built-in Portal server. To set the heartbeat detection status, run the portal local-server keep-alive command.
  • disable: indicates that the heartbeat detection function is disabled.
  • enable: indicates the forcible detection mode.
  • auto: indicates the automatic detection mode.

Heartbeat-timeout value

Heartbeat detection interval of the built-in Portal server. To set the heartbeat detection interval, run the portal local-server keep-alive command.

This parameter is unavailable when the value of Heartbeat-check status is disable.

server ip

IP address of a built-in Portal server. To set the server IP address, run the portal local-server ip command.

authentication method

Authentication method used by a built-in Portal server for Portal users. To set the authentication method, run the portal local-server authentication-method command.
  • chap: CHAP-based authentication (CHAP stands for Challenge Handshake Authentication Protocol.)
  • pap: PAP-based authentication (PAP stands for Password Authentication Protocol.)

protocol

Protocol used for authentication information exchange between a built-in Portal server and users. To enable the built-in Portal server function, run the portal local-server command.

https ssl-policy

SSL policy used for authentication information exchange between a built-in Portal server and users. To enable the built-in Portal server function, run the portal local-server command.

server port

TCP port number used by HTTPS. To specify a TCP port number used by HTTPS, run the portal local-server command.

session-timeout

User session timeout interval configured on the built-in Portal server. To set the session timeout interval, run the portal local-server timer session-timeout command.

server pagename

Name of the page file package loaded to the built-in Portal server. To set the file name, run the portal local-server load command.

server page-text

Text or hyperlink loaded on the built-in Portal server login page. To set the text or hyperlink, run the portal local-server page-text load command.

server policy-text

Disclaimer page loaded to the built-in Portal server. To set the disclaimer page, run the portal local-server policy-text load command.

server background-image

Background image of the built-in Portal server login page. To set the background image, run the portal local-server background-image load command.

server background-color

Background color of the built-in Portal server login page. To set the background color, run the portal local-server background-color command.

server logo

Logo file of the built-in Portal server login page. To configure the logo file, run the portal local-server logo load command.

server ad-image

Advertisement image file of the built-in Portal server login page. To configure the advertisement image file, run the portal local-server ad-image load command.

display portal local-server connect

Function

The display portal local-server connect command displays the connection status of users to be authenticated on a built-in Portal server.

Format

display portal local-server connect [ user-ip ip-address ]

Parameters

Parameter

Description

Value

user-ip ip-address

Displays the connection entry of a user with a specified IP address on a built-in Portal server.

The connection entries of all users on the built-in Portal server are displayed if this parameter is not specified.

The value of ip-address is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display portal local-server connect command to check the authentication mode and status of users to be authenticated on a built-in Portal server.

Example

# Display the connection status of the user with the IP address 9.8.7.6 on a built-in Portal server.

<Huawei> display portal local-server connect user-ip 10.1.1.10
-------------------------------------------------------------------------------
	 CID  IP Address      AuthMode  State                                           
	 1    10.1.1.10       CHAP      ONLINE                                           
--------------------------------------------------------------------------------

# Display the connection status of all users on the built-in Portal server.

<Huawei> display portal local-server connect
-------------------------------------------------------------------------------
	 CID  IP Address      AuthMode  State                                           
	 1    10.1.1.10       CHAP      ONLINE 
	 2    10.1.1.11       PAP       ONLINE                                          
--------------------------------------------------------------------------------
Table 14-36  Description of the display portal local-server connect command output

Item

Description

CID

User table index.

IP Address

IP address of a user.

AuthMode

Authentication mode:
  • CHAP: The built-in Portal server uses CHAP to authenticate the user.
  • PAP: The built-in Portal server uses PAP to authenticate the user.

To set the authentication method, run the portal local-server authentication-method command.

State

User status:
  • WAIT_CHALLENGE: waiting for the challenge
  • WAIT_AUTHACK: waiting for the authentication response
  • ONLINE: online
  • WAIT_LOGOUTACK: waiting for logout

display portal local-server page-information

Function

The display portal local-server page-information command displays the page files loaded to the memory of a built-in Portal server.

Format

display portal local-server page-information

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display portal local-server page-information command to check the page files loaded to the memory of a built-in Portal server.

Example

# Display the page files loaded to the memory of a built-in Portal server.

<Huawei> display portal local-server page-information
--------------------------------------------------------------------------------
	  Number of backup pages:35                                                     
	  Size of backup pages:94438 byte                                            
--------------------------------------------------------------------------------
	  Name:/logout_success.html                                                  
	  Size:4042 byte                                                               
	  Last-Modified-Time:2011-12-16 20:24:46                                    
--------------------------------------------------------------------------------
	                                                                              
Table 14-37  Description of the display portal local-server page-information command output

Item

Description

Number of backup pages

Number of page files loaded.

Size of backup pages

Total size of the loaded page files.

Name

Name of a page file.

Size

Size of a page file.

Last-Modified-Time

Last modification time.

display portal quiet-user

Function

The display portal quiet-user command displays information about Portal authentication users in quiet state.

Format

display portal quiet-user { all | server-ip ip-address | user-ip ip-address }

Parameters

Parameter Description Value
all

Displays information about all Portal authentication users in quiet state.

-

user-ip ip-address

Displays information about the quiet user with the specified IP address.

The value is in dotted decimal notation.

server-ip ip-address

Displays information about all the users in quiet state authenticated by the Portal authentication server with a specified IP address.

The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the quiet timer is enabled, you can run the display portal quiet-user command to view information about Portal authentication users in quiet state.

Example

# Display information about all Portal authentication users in quiet state.

<Huawei> display portal quiet-user all
Quiet IP information
-------------------------------------------------------------------------------------
Quiet ip                                                    Quiet Remain Time(Sec)
------------------------------------------------------------------------------------
192.168.1.1                                                   10
192.168.1.2                                                   20
------------------------------------------------------------------------------------
2 quiet IP found, 2 printed.

# Display information about all the users in quiet state authenticated by the Portal authentication server with IP address 192.168.2.1.

<Huawei> display portal quiet-user server-ip 192.168.2.1
Quiet IP information
-------------------------------------------------------------------------------------
Quiet ip                                                    Quiet Remain Time(Sec)
------------------------------------------------------------------------------------
192.168.1.3                                                   10
192.168.1.4                                                   20
------------------------------------------------------------------------------------
2 quiet IP found, 2 printed.

# Display information about the user in quiet state at 192.168.1.1.

<Huawei> display portal quiet-user user-ip 192.168.1.1
 Quiet remain second     100
Table 14-38  Description of the display portal quiet-user command output

Item

Description

Quiet IP information

Information about the user in quiet state.

Quiet ip

IP address of the user in quiet state.

Quiet Remain Time(Sec)

Remaining quiet time of the user in quiet state, in seconds.

Quiet remain second

Remaining quiet period of the user in quiet state.

display server-detect state

Function

The display server-detect state command displays the status of a Portal server.

Format

display server-detect state [ web-auth-server server-name ]

Parameters

Parameter Description Value
web-auth-server server-name Displays information about the Portal server status configured in the specified Portal server template.

If this parameter is not specified, status of all Portal servers is displayed.

The Portal server template name must exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When an external Portal server is used for Portal authentication, you can run the display server-detect state command to check information about the Portal server status.

Example

# Display information about the Portal server status configured in the Portal server template abc.

<Huawei> display server-detect state web-auth-server abc
  Web-auth-server     :    abc                      
  Total-servers       :    4                                                    
  Live-servers        :    1                                                    
  Critical-num        :    0                                                    
  Status              :    Normal                                               
  Ip-address               Status                                               
  192.168.2.1              UP                                                   
  192.168.2.2              DOWN                                                 
  192.168.2.3              DOWN                                                 
  192.168.2.4              DOWN  
Table 14-39  Description of the display server-detect state command output

Item

Description

Web-auth-server

Name of the Portal server template.

Total-servers

Number of Portal servers configured.

Live-servers

Number of Portal servers in Up state.

Critical-num

Minimum number of Portal servers in Up state. If the number of Portal servers is less than this value, enable the survival function in the corresponding Portal server template view.

Status

Status of the Portal server. The values are as follows:
  • Normal: normal state
  • Permit-all: survival state

Ip-address

IP address of the Portal server.

Status

Whether the Portal server with the specified IP address is reachable. The values are as follows:
  • UP: reachable
  • DOWN: unreachable

display url-template

Function

The display url-template command displays information about URL templates.

Format

display url-template { all | name template-name }

Parameters

Parameter

Description

Value

all

Displays information about all configured URL templates.

-

name template-name

Displays information about the URL template with a specified name.

The value is a string of 1 to 31 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

All views

Default Level

2: Configuration level

Usage Guidelines

After a URL template is configured, run the display url-template command to view information about the URL template.

Example

# Display information about all configured URL templates.

<Huawei> display url-template all
                                                                                
------------------------------------------------------------------------------- 
  Name                              URL     Start  Assignment  Isolate          
                                    Number  Mark   Mark        Mark           
------------------------------------------------------------------------------- 
  huawei                            0       ?      =           &                
  huawei2                           0       ?      =           &                
  huawei3                           0       ?      =           &                
------------------------------------------------------------------------------- 
  Total 3                 

# Display information about the URL template huawei.

<Huawei> display url-template name huawei
  Name : huawei                                                                 
  URL  :                                                                        
    1. http://10.1.1.1                                                          
  Start mark      : !                                                           
  Assignment mark : j                                                           
  Isolate mark    : =                                                           
  User MAC        :                                                             
  Redirect URL    :                                                             
  User IP address :                                                             
  Sysname         :                                                             
  Delimiter       : %                                                           
  Format          : normal 
Table 14-40  Description of the display url-template command output

Item

Description

Name

Name of a URL template.

URL

URL of the Portal server. For details, see url (URL template view).

Start mark

Start character in the URL address. For details, see parameter.

Assignment mark

Assignment character in the URL address. For details, see parameter.

Isolate mark

Delimiter between URL addresses. For details, see parameter.

User MAC

MAC address of a user. For details, see url-parameter.

Redirect URL

URL in the original user packet. For details, see url-parameter.

User IP address

User IP address. For details, see url-parameter.

Sysname

Device name. For details, see url-parameter.

Delimiter

Delimiter between MAC addresses in URL. For details, see url-parameter mac-address format.

Format

Format MAC addresses in URL. For details, see url-parameter mac-address format.

display user-group

Function

The display user-group command displays the configuration of a user group.

Format

display user-group [ group-name ]

Parameters

Parameter Description Value
group-name Displays the configuration of a specified user group.

The configurations of all user groups are displayed if this parameter is not specified.

The value is a string of 1 to 64 case-sensitive characters without spaces.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display user-group command to obtain the user group configuration and locate faults according to the command output.

Example

# Display the configuration of all user groups.

<Huawei> display user-group
 -------------------------------------------------------------------------------
 ID   Group name     Rule-num   User-num Iso-inter Iso-inner Vlan
 -------------------------------------------------------------------------------
 0    abc            0          0        No        No        0
 -------------------------------------------------------------------------------
 Total 1
NOTE:

When the length of Group name exceeds 14 characters, the name is displayed in abridged mode.

# Display the configuration about the user group test1.

<Huawei> display user-group abc
  User group ID           : 0                                                   
  Group name              : abc                                              
  ACL ID                  :                                                     
  ACL rule number         : 0                                                   
  GID                     : 9086                                                
  User-num                : 0                                                   
  VLAN                    :                                                     
  Remark dscp             :                                                     
  Remark 8021p            :                                                     
  Remark exp              :                                                     
  Remark lp               :                                                     
  IsolateInter            : No                                                  
  IsolateInner            : No               
Table 14-41  Description of the display user-group command output

Item

Description

User group ID

ID of the user group.

Group name

Name of the user group.

ACL ID

ID of the ACL bound to the user group.

To set the ACL ID, run the acl-id (user group view) command.

ACL rule number

Number of ACL rules.

User-num

Number of online users bound to the user group.

VLAN

VLAN of the user group.

To set the VLAN, run the user-vlan command.

Remark dscp

Priorities for processing IP packets.

To set the priorities, run the remark command.

Remark 8021p

Priorities for processing Ethernet Layer 2 packets.

To set the priorities, run the remark command.

Remark exp

Priorities for processing MPLS packets.

To set the priorities, run the remark command.

Remark lp

Priorities for processing internal packets of the device.

To set the priorities, run the remark command.

IsolateInter\Iso-inter

Isolates users in the user group from users in other user groups.

IsolateInner\Iso-inner

Isolates users in the same user group.

display web-auth-server configuration

Function

The display web-auth-server configuration command displays the Portal server configuration.

Format

display web-auth-server configuration

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the Portal server template is configured, the display web-auth-server configuration displays the Portal server configuration.

Example

# Display the Portal server configuration.

<Huawei> display web-auth-server configuration
  Listening port        : 4000
  Portal                : version 1, version 2
  Include reply message : enabled
  ------------------------------------------------------------------------
  Web-auth-server Name : isp1
  IP-address           : 10.138.86.35
  Shared-key           : %^%#n{tj5)rRhJ]NM3C>#brWsy8[~z4%'($U6m3Hrj'"%^%# 
  Source-IP            : 0.0.0.0                                                
  Port / PortFlag      : 40000 / NO
  URL                  : http://192.168.2.30:8080/webagent
  URL Template         :                                                        
  Redirection          : Disable  
  Sync                 : Disable                                                
  Sync Seconds         : 300                                                    
  Sync Max-times       : 3                                                      
  Detect               : Disable                                                
  Detect Seconds       : 60                                                     
  Detect Max-times     : 3                                                      
  Detect Critical-num  : 0                                                      
  Detect Action        :                                                        
  Bound Vlanif         :                                                        
  VPN Instance         :                                                        
  Bound WAN Interface  :                                         
                                                                                
  ------------------------------------------------------------------------      
  1 Web authentication server(s) in total                      
Table 14-42  Description of the display web-auth-server configuration command output

Item

Description

Listening port

Listening port for Portal protocol packets.

To configure a listening port, run the web-auth-server listening-port command.

Portal

Portal protocol version.

To configure the Portal protocol version, run the web-auth-server version command.

Include reply message

Whether the packets sent from the device to the Portal server contain authentication responses.

To enable the device to transparently transmit authentication responses of users sent by the authentication server to the Portal server, run the web-auth-server reply-message command.

Web-auth-server Name

Name of the Portal server template.

To configure the Portal server template name, run the web-auth-server (system view) command.

IP-address

IP address of the Portal server.

To configure the IP address of the Portal server, run the server-ip (Portal server template view) command.

Shared-key

Shared key of the Portal server.

To configure the shared key of the Portal server, run the shared-key (Portal server template view) command.

Source-IP

IP address used for communication with the Portal server.

To configure the IP address used for communication with the Portal server, run the source-ip (Portal server template view) command.

Port / PortFlag

  • Port: indicates the port number of the Portal server.
  • PortFlag: indicates whether packets are always sent through this port.

To configure the port number of the Portal server, run the port (Portal server template view) command.

URL

URL of the Portal server.

To configure the URL of the Portal server, run the url (Portal server template view) command.

URL Template

URL template bound to the Portal server template.

To configure the URL template, run the url-template (Portal server template view) command.

Redirection

Redirection status of Portal authentication.
  • Disable: Redirection of Portal authentication is disabled.
  • Enable: Redirection of Portal authentication is enabled.

To configure redirection of Portal authentication, run the web-redirection disable (Portal server template view) command.

Sync

User information synchronization.

To enable user information synchronization, run the user-sync command.

Sync Seconds

User information synchronization interval.

To set the user information synchronization interval, run the user-sync command.

Sync max-times

Maximum number of times that user information synchronization fails.

To set the maximum number of times that user information synchronization fails, run the user-sync command.

Detect

Portal server detection and keepalive functions.

To configure Portal server detection and keepalive functions, run the server-detect command.

Detect Seconds

Detection interval of the Portal server.

To set the detection interval of the Portal server, run the server-detect command.

Detect max-times

Maximum number of detection failures.

To set the maximum number of detection failures, run the server-detect command.

Detect Critical-num

Minimum number of Portal servers in Up state. If the number of running Portal servers is less than the minimum, enable the survival function in the corresponding Portal server template view.

To configure this function, run the server-detect command.

Detect Action

Action taken after the number of detection failures exceeds the maximum.
  • log: The device sends logs after the number of detection failures exceeds the maximum.
  • trap: The device sends traps after the number of detection failures exceeds the maximum.
  • permit-all: Portal authentication on the interface is disabled after the number of detection failures exceeds the maximum.

To configure an action taken after the number of detection failures exceeds the maximum, run the server-detect command.

Bound Vlanif

VLANIF interface to which the Portal server template is bound.

To bind the Portal server template to a VLANIF interface, run the web-auth-server (interface view).

VPN instance

VPN instance used for Portal authentication.

To configure a VPN instance, run the vpn-instance (Portal server template view) command.

Bound WAN Interface

WAN interface bound to the Portal server template.

To bind the Portal server template to a WAN interface, run the web-auth-server (interface view) command.

dot1x authentication-method

Function

The dot1x authentication-method command sets the authentication mode for 802.1x users.

The undo dot1x authentication-method command restores the default authentication mode for 802.1x users.

By default, the global 802.1x user authentication mode is CHAP authentication and the 802.1x user authentication mode on interfaces is the same as the mode globally configured.

Format

dot1x authentication-method { chap | pap | eap }

undo dot1x authentication-method

Parameters

Parameter

Description

Value

chap

Indicates the CHAP-based EAP termination authentication mode.

-

pap

Indicates the PAP-based EAP termination authentication mode.

-

eap

Indicates that the EAP relay mode.

-

Views

System view, Ethernet interface view, GE interface view, WLAN-ESS interface view, WLAN-BSS interface view

Default Level

2: Configuration level

Usage Guidelines

During 802.1x authentication, users exchange authentication information with the device using EAP packets. The device uses two modes to exchange authentication information with the RADIUS server.
  • EAP termination: The device directly parses EAP packets, encapsulates user authentication information into a RADIUS packet, and sends the RADIUS packet to the RADIUS server for authentication. In EAP termination authentication mode, the device and RADIUS server exchange information using PAP or CHAP.

    • PAP is a two-way handshake authentication protocol. It transmits passwords in plain text format in RADIUS packets. It is not recommended because of the low security.
    • CHAP is a three-way handshake authentication protocol. It transmits only user names not passwords in RADIUS packets. CHAP is more secure and reliable than PAP. If high security is required, CHAP is recommended.

    After the device directly parses EAP packets, user information in the EAP packets is authenticated by a local AAA module, or sent to the RADIUS or HWTACACS server for authentication.

  • EAP relay (specified by eap): The device encapsulates EAP packets into RADIUS packets and sends the RADIUS packets to the RADIUS server, but does not parse the received EAP packets that include user authentication information. This mechanism is called EAP over Radius (EAPOR).

The EAP relay mechanism requires that the RADIUS server be capable of parsing a lot of EAP packets and carrying out authentication; therefore, if the RADIUS server has high processing capabilities, the EAP relay is used. If the RADIUS server is incapable of parsing a lot of EAP packets and carrying out authentication, EAP termination is recommended, and the device helps the RADIUS server to parse EAP packets.
NOTE:
  • The authentication mode can be set to EAP relay for 802.1x authentication users only when the RADIUS authentication is used.

  • If the 802.1x client uses the MD5 encryption mode, the user authentication mode on the device can be set to EAP or CHAP; if the 802.1x client uses the PEAP authentication mode, the authentication mode on the device can be set to EAP. If the authentication mode for 802.1x users is set to EAP on the device, user names in packets sent from the device to the RADIUS server must contain domain names, and the device cannot be configured to send packets in which user names do not contain domain names to the RADIUS server using the undo radius-server user-name domain-included command.

Example

# Set the authentication mode to EAP for 802.1x users in the device in the system view.

<Huawei> system-view
[Huawei] dot1x authentication-method eap

# Set the authentication mode to EAP for 802.1x users on Eth0/0/1.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dot1x authentication-method eap
Related Topics

dot1x dhcp-trigger

Function

The dot1x dhcp-trigger command enables DHCP-triggered 802.1x authentication.

The undo dot1x dhcp-trigger command disables DHCP-triggered 802.1x authentication.

By default, DHCP-triggered 802.1x authentication is disabled.

Format

dot1x dhcp-trigger

undo dot1x dhcp-trigger

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DHCP-triggered 802.1x authentication is enabled using the dot1x dhcp-trigger command, the device sends an 802.1x authentication-start packet to the user when receiving a DHCP Request message from the user. When the user receives the 802.1x authentication-start packet from the device, the 802.1x authentication page is displayed on the client device and prompts the user to enter the user name and password for authentication. During 802.1x network deployment, DHCP-triggered 802.1x authentication enables 802.1x users to start 802.1x authentication without dial-up using the client software, which facilitates network deployment.
NOTE:

After receiving the request packet from an 802.1x user, the device starts authenticating the user. If the user is authenticated, the device allocates an IP address to the user through a DHCP server; if the user fails the authentication, the user cannot obtain a dynamic IP address from the DHCP server.

Prerequisites

802.1x authentication has been enabled globally and on an interface using the dot1x enable command.

Precautions

The dot1x dhcp-trigger command can be used only when the client supports DHCP and 802.1x authentication.

Example

# Enable DHCP-triggered 802.1x authentication.

<Huawei> system-view
[Huawei] dot1x dhcp-trigger

dot1x eap-notify-packet

Function

The dot1x eap-notify-packet command enables the device to send an EAP packet code number to users.

The undo dot1x eap-notify-packet command disables the device from sending an EAP packet code number to users.

By default, the device is disabled from sending an EAP packet code number to users.

Format

dot1x eap-notify-packet eap-code code-number data-type type-number

undo dot1x eap-notify-packet [ eap-code code-number data-type type-number ]

Parameters

Parameter

Description

Value

eap-code code-number

Specifies an EAP packet code number sent to users.

The value is an integer that ranges from 5 to 255.

data-type type-number

Specifies the data type in EAP packets sent to users.

The value is an integer that ranges from 1 to 255.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a non-Huawei device used as the RADIUS server sends RADIUS packets with attribute 61, EAP packet code number 0xa (hexadecimal notation, 10 in decimal notation), and data type 0x19 (hexadecimal notation, 25 in decimal notation) to the device, run the dot1x eap-notify-packet command on the device so that the device can send EAP packets with code number 0xa and data type 0x19 to users. If the dot1x eap-notify-packet command is not executed, the device does not process EAP packets of this type and users are disconnected.

Precautions

The device can only process EAP packets with code number 10 and data type 25.

Example

# Allow the device to send EAP packets with code number 10 and data type 25 to users.

<Huawei> system-view
[Huawei] dot1x eap-notify-packet eap-code 10 data-type 25
Related Topics

dot1x enable

Function

The dot1x enable command enables 802.1x authentication on a device.

The undo dot1x enable command disables 802.1x authentication on a device.

By default, 802.1x authentication is disabled on a device.

Format

In the system view:

dot1x enable [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

undo dot1x enable [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

In the interface view:

dot1x enable

undo dot1x enable

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Enables 802.1x authentication on the specified interface of the device.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

Global 802.1x authentication is enabled if this parameter is not specified.

-

Views

System view, Ethernet interface view, GE interface view, WLAN-ESS interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The IEEE 802.1x standard (802.1x for short) is a port-based network access control protocol. You can run the dot1x enable command to enable 802.1x authentication globally and on an interface.

To make the 802.1x configuration effective on an interface, enable the global 802.1x authentication function and perform either of the following operations:
  • Run the dot1x enable command in the interface view.
  • Run the dot1x enable interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> command in the system view.

Precautions

  • All users have been disconnected before the undo operation is executed.

  • After the static MAC address entry is configured using the mac-address static mac-address interface-type interface-number vlan vlan-id command, the user corresponding to the entry cannot pass 802.1x authentication.
  • If 802.1x authentication is enabled on an interface, the following commands cannot be used on the same interface.

    Command

    Function

    mac-limit

    Sets the maximum number of MAC addresses that can be learned by an interface.

    mac-address learning disable

    Disables MAC address learning on an interface.

    port link-type dot1q-tunnel

    Sets the link type of an interface to QinQ.

    port-security enable

    Enables interface security.

Example

# Enable 802.1x authentication on Eth0/0/1 in the system view.

<Huawei> system-view
[Huawei] dot1x enable
[Huawei] dot1x enable interface ethernet 0/0/1

# Enable 802.1x authentication on Eth0/0/1 in the interface view.

<Huawei> system-view
[Huawei] dot1x enable
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dot1x enable
Related Topics

dot1x free-ip

Function

The dot1x free-ip command configures a free IP subnet.

The undo dot1x free-ip command deletes the configured free IP subnet.

By default, no free IP subnet is configured.

Format

dot1x free-ip ip-address { mask-length | mask-address }

undo dot1x free-ip { ip-address { mask-length | mask-address } | all }

Parameters

Parameter Description Value
ip-address Specifies a free IP subnet. The value is in dotted decimal notation.
mask-length Specifies the mask length of an IP address. The value is an integer that ranges from 1 to 32.
mask-address Specifies the mask of the IP address. The value is in dotted decimal notation.
all Deletes all free IP subnets. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

802.1x users can access networks only after being authenticated. You can configure a free IP subnet, so that users can access network resources in the free IP subnet before being authenticated.

Precautions

  • 802.1x authentication has been enabled globally and on an interface using the dot1x enable command.

  • After the free-ip function is configured, the guest VLAN, and restrict VLAN are no longer effective.

  • The free IP subnet takes effect only when the interface authorization state is auto.

  • If a user who does not pass 802.1x authentication wants to obtain an IP address dynamically through the DHCP server, the network segment of the DHCP server needs to be configured to a free IP subnet so that the user can access the DHCP server.

  • The AR performing Layer 2 switching does not support free-ip function.

Example

# Configure 192.168.1.0/24 as a free IP subnet that users can access before they pass 802.1x authentication.

<Huawei> system-view
[Huawei] dot1x free-ip 192.168.1.0 24

dot1x handshake

Function

The dot1x handshake command enables the device to send handshake packets to online 802.1x users.

The undo dot1x handshake command disables the device from sending handshake packets to online 802.1x users.

By default, the device handshake function is disabled for online 802.1x users.

Format

dot1x handshake

undo dot1x handshake

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

To check whether an 802.1x user is online in real time, you can run the dot1x handshake command to enable the device to send handshake packets to the 802.1x user. The device sends handshake request packets to the user. If the user sends a response packet within the handshake interval (set using the dot1x timer command), the device considers that the user is online. If the user does not send any response packet within the interval, the device considers that the user is offline.
NOTE:

If a client does not support the handshake function, the device will not receive handshake response packets within the handshake interval and considers that the user is offline. Therefore, disable the device from sending handshake packets to an online 802.1x user when the user's client does not support the handshake function.

Example

# Enable the device to send handshake packets to online 802.1x users.

<Huawei> system-view
[Huawei] dot1x handshake

dot1x mac-bypass

Function

The dot1x mac-bypass command enables MAC address bypass authentication on an interface.

The undo dot1x mac-bypass command disables MAC address bypass authentication on an interface.

By default, MAC address bypass authentication is disabled on an interface.

Format

In the system view:

dot1x mac-bypass { interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> }

undo dot1x mac-bypass { interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> }

In the interface view:

dot1x mac-bypass

undo dot1x mac-bypass

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Enables MAC address bypass authentication on the specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, Ethernet interface view, GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can enable MAC address bypass authentication for terminals (for example, printers) on which the 802.1x client software cannot be installed or used.

After MAC address bypass authentication is enabled on the interface using the dot1x mac-bypass command, the device first performs 802.1x authentication on users. Once 802.1x authentication fails, the device starts the MAC address authentication process for the users.
NOTE:

Running the dot1x mac-bypass command also enables 802.1x authentication on an interface, and running the undo dot1x mac-bypass command also disables 802.1x authentication on an interface. When you run the dot1x mac-bypass command on an interface that has been enabled with 802.1x authentication, the authentication mode on the interface changes to MAC address bypass authentication.

Prerequisites

802.1x authentication has been enabled globally using the dot1x enable command.

Example

# Enable MAC address bypass authentication on Eth0/0/1 in the system view.

<Huawei> system-view
[Huawei] dot1x mac-bypass interface ethernet 0/0/1

# Enable MAC address bypass authentication on Eth0/0/1 in the interface view.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dot1x mac-bypass

dot1x mac-bypass mac-auth-first

Function

The dot1x mac-bypass mac-auth-first command enables the device to perform MAC address authentication first during MAC address bypass authentication.

The undo dot1x mac-bypass mac-auth-first command disables the device from performing MAC address authentication first during MAC address bypass authentication.

By default, the MAC address authentication is not performed first during MAC address bypass authentication.

Format

In the system view:

dot1x mac-bypass mac-auth-first interface { interface-type interface-number1 [ to interface-number2 ] } &<1-5>

undo dot1x mac-bypass mac-auth-first interface { interface-type interface-number1 [ to interface-number2 ] } &<1-5>

In the interface view:

dot1x mac-bypass mac-auth-first

undo dot1x mac-bypass mac-auth-first

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Enables the device to perform MAC address authentication first on a specified interface during MAC address bypass authentication.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, Ethernet interface view, GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When both the clients that do not support 802.1x authentication (such as printers) and the clients that support 802.1x authentication (such as PCs) are connected to the interface enabled with MAC address bypass authentication, you can run the dot1x mac-bypass mac-auth-first command to enable the device to perform MAC address authentication first during MAC address bypass authentication. After that, the device first starts the MAC address authentication process for users, and triggers 802.1x authentication only if MAC address authentication fails.

Prerequisites

802.1x authentication has been enabled globally and on an interface using the dot1x enable command.

Follow-up Procedure

Run the dot1x mac-bypass command to enable MAC address bypass authentication on the interface.

Example

# Enable the device to first perform MAC address authentication on Eth0/0/1 during MAC address bypass authentication in the system view.

<Huawei> system-view
[Huawei] dot1x mac-bypass mac-auth-first interface ethernet 0/0/1

# Enable the device to first perform MAC address authentication on Eth0/0/1 during MAC address bypass authentication in the interface view.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dot1x mac-bypass mac-auth-first

dot1x max-user

Function

The dot1x max-user command sets the maximum number of 802.1x authentication users allowed on an interface.

The undo dot1x max-user command restores the default maximum number of 802.1x authentication users allowed on an interface.

By default, the number of 802.1x authentication users is the maximum number of 802.1x authentication users supported by the device.

Format

In the system view:

dot1x max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo dot1x max-user [ user-number ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

dot1x max-user user-number

undo dot1x max-user [ user-number ]

Parameters

Parameter

Description

Value

user-number

Specifies the maximum number of 802.1x authentication users on an interface.

The value is an integer that ranges from 1 to 160.

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, Ethernet interface view, GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To limit the maximum number of 802.1x authentication users allowed on an interface, run the dot1x max-user command.

Prerequisites

The 802.1x authentication function has been enabled globally and on an interface using the dot1x enable command.

Precautions

If the user access mode on an interface is interface-based (configured using the dot1x port-method command), the maximum number of 802.1x authentication users allowed on the interface is 1. Before running the dot1x max-user command to set the maximum number of 802.1x authentication users allowed on the interface, run the undo dot1x port-method command to restore the user access mode on the interface to MAC address-based.

Example

# In the system view, set the maximum number of 802.1x authentication users allowed on Eth0/0/1 to 7.

<Huawei> system-view
[Huawei] dot1x max-user 7 interface ethernet 0/0/1

# In the interface view, set the maximum number of 802.1x authentication users allowed on Eth0/0/1 to 7.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dot1x max-user 7

dot1x port-control

Function

The dot1x port-control command sets the authorization state of an interface.

The undo dot1x port-control command restores the default authorization state of an interface.

By default, the authorization state of an interface is auto.

Format

In the system view:

dot1x port-control { auto | authorized-force | unauthorized-force } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo dot1x port-control interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

dot1x port-control { auto | authorized-force | unauthorized-force }

undo dot1x port-control

Parameters

Parameter

Description

Value

auto

Indicates the auto identification mode. In this mode, an interface is initially in Unauthorized state and only allows users to send and receive EAPOL packets. Users cannot access network resources. After the users are authenticated, the interface becomes authorized and allows the users to access network resources.

-

authorized-force

Indicates the forcible authorization mode. In this mode, the interface is always in Authorized state and allows users to access network resources without authentication and authorization.

-

unauthorized-force

Indicates the forcible unauthorized mode. In this mode, the interface is always in Unauthorized state and forbids users to access network resources.

-

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, Ethernet interface view, GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The auto mode is recommended. Only authenticated users can access network resources. To trust all users on an interface without authentication, configure the authorized-force mode. To disable access rights of all users on an interface to ensure security, configure the unauthorized-force mode.

Prerequisites

802.1x authentication has been enabled globally and on an interface using the dot1x enable command.

Precautions

When there are online 802.1x users on an interface, the dot1x port-control command must not be run; otherwise, the system displays alarm information.

It is recommended that you set the authorization state of an interface in the early stage of network deployment. When the network is running properly, run the cut access-user command to disconnect all users from the interface before changing the authorization state.

Example

# Set the authorization state of Eth0/0/1 to unauthorized-force in the system view.

<Huawei> system-view
[Huawei] dot1x port-control unauthorized-force interface ethernet 0/0/1

# Set the authorization state of Eth0/0/1 to unauthorized-force in the interface view.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dot1x port-control unauthorized-force

dot1x port-method

Function

The dot1x port-method command sets the 802.1x access control method of an interface.

The undo dot1x port-method command sets the default 802.1x access control method of an interface.

By default, 802.1x access control on an interface is based on MAC addresses.

Format

In the system view:

dot1x port-method { mac | port } interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo dot1x port-method interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

dot1x port-method { mac | port }

undo dot1x port-method

Parameters

Parameter

Description

Value

mac

Indicates that users are authenticated based on their MAC addresses.

-

port

Indicates that users are authenticated based on their access interfaces.

-

interface { interface-type interface-number1 [ to interface-number2 ] }

Indicates the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, Ethernet interface view, GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

802.1x access control can be based on MAC addresses or interfaces.

  • When the mac method is used, all 802.1x users on an interface are authenticated one by one. If a user goes offline, other users on this interface are not affected. The mac method is applicable to individual users.
  • When the port method is used, all the other 802.1x users on an interface can use network resources as long as one user is authenticated successfully. When the authenticated user goes offline, other users cannot use network resources. The port method is applicable to group users.

Prerequisites

802.1x authentication has been enabled globally and on an interface using the dot1x enable command.

Precautions

  • When there are online 802.1x users on an interface, do not run the dot1x port-method command to change the access control method on the interface.

  • If the access control method of an interface is set to port, only one 802.1x users can access the interface. After you run the undo dot1x port-method command, MAC address-based access control is enabled, but still only one user can access the interface. You can run the dot1x max-user command to increase the maximum number of 802.1x users as required.

Example

# Set the 802.1x access control method on Eth0/0/1 in the system view to port.

<Huawei> system-view
[Huawei] dot1x port-method port interface ethernet 0/0/1

# Set the 802.1x access control method on Eth0/0/1 in the interface view to port.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dot1x port-method port

dot1x quiet-period

Function

The dot1x quiet-period command enables the quiet timer function.

The undo dot1x quiet-period command disables the quiet timer function.

By default, the quiet timer function is disabled.

Format

dot1x quiet-period

undo dot1x quiet-period

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the quiet timer function is enabled, if the number of authentication failures of an 802.1x user exceeds a specified value (set using the dot1x quiet-times command) within 60 seconds, the user enters a quiet period. During the quiet period, the device discards the 802.1x authentication request packets from the user. This prevents the impact on the system due to frequent user authentication.

The value of the quiet timer is set using the dot1x timer command. When the quiet timer expires, the device re-authenticates the user.

Example

# Enable the quiet timer.

<Huawei> system-view
[Huawei] dot1x quiet-period
Related Topics

dot1x quiet-times

Function

The dot1x quiet-times command sets the maximum number of authentication failures within 60 seconds before an 802.1x user enters the quiet state.

The undo dot1x quiet-times command restores the default setting.

By default, an 802.1x user enters the quiet state after three authentication failures within 60 seconds.

Format

dot1x quiet-times fail-times

undo dot1x quiet-times

Parameters

Parameter

Description

Value

fail-times

Specifies the maximum number of authentication failures before the 802.1x user enters the quiet state.

The value is an integer that ranges from 1 to 10.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the quiet timer function of the device is enabled using the dot1x quiet-period command, if the number of authentication failures of an 802.1x user exceeds the value that is set using the dot1x quiet-times command within 60 seconds, the user enters the quiet state. This prevents the impact on the system due to frequent user authentication.

Example

# Set the maximum number of authentication failures within 60 seconds to 4.

<Huawei> system-view
[Huawei] dot1x quiet-times 4
Related Topics

dot1x reauthenticate

Function

The dot1x reauthenticate command enables periodic 802.1x re-authentication on an interface.

The undo dot1x reauthenticate command disables periodic 802.1x re-authentication on an interface.

By default, periodic 802.1x re-authentication is disabled on an interface.

Format

In the system view:

dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

dot1x reauthenticate

undo dot1x reauthenticate

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, Ethernet interface view, GE interface view, WLAN-ESS interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After modifying the authentication information of an online user on the authentication server, the administrator needs to re-authenticate the user in real time to ensure user validity.

After the user goes online, the device saves user authentication information. After 802.1x re-authentication is enabled using the dot1x reauthenticate command, the device sends the stored authentication information of the online user to the authentication server for re-authentication at an interval. If the authentication information of the user does not change on the authentication server, the user is online normally. If the authentication information has been changed, the user is forced to go offline. The user then needs to be re-authenticated according to the changed authentication information.
NOTE:

The re-authentication interval is set using the dot1x timer reauthenticate-period command.

If the device is connected to a server for re-authentication and the server replies with a re-authentication deny message that makes an online user go offline, it is recommended that you locate the cause of the re-authentication failure on the server or disable the re-authentication function on the device.

Precautions

If periodic 802.1x re-authentication is enabled, a large number of 802.1x authentication logs are generated.

Example

# Enable periodic 802.1x re-authentication on Eth0/0/1 in the system view.

<Huawei> system-view
[Huawei] dot1x reauthenticate interface ethernet 0/0/1

# Enable periodic 802.1x re-authentication on Eth0/0/1 in the interface view.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dot1x reauthenticate

dot1x reauthenticate mac-address

Function

The dot1x reauthenticate mac-address command enables re-authentication for an online 802.1x user with the specified MAC address.

By default, re-authentication is disabled for an online 802.1x user with the specified MAC address.

Format

dot1x reauthenticate mac-address mac-address

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address of an 802.1x user to be re-authenticated.

The value is in H-H-H format. H contains 1 to 4 hexadecimal digits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

For details, see dot1x reauthenticate.

The dot1x reauthenticate mac-address and dot1x reauthenticate commands re-authenticate online 802.1x users and their difference is as follows:
  • The dot1x reauthenticate mac-address command configures the device to re-authenticate a specified user for once.
  • The dot1x reauthenticate command configures the device to re-authenticate all users on a specified interface at intervals.

Example

# Enable re-authentication for an 802.1x user with the MAC address of 00e0-fc01-0005.

<Huawei> system-view
[Huawei] dot1x reauthenticate mac-address 00e0-fc01-0005

dot1x retry

Function

The dot1x retry command sets the maximum number of times an authentication request is sent to an 802.1x user.

The undo dot1x retry command restores the default setting.

By default, the device sends an authentication request to an 802.1x user twice.

Format

dot1x retry max-retry-value

undo dot1x retry

Parameters

Parameter

Description

Value

max-retry-value

Specifies the maximum number of times an authentication request is sent to an 802.1x user.

The value is an integer that ranges from 1 to 10.

By default, the device sends an authentication request to an 802.1x user twice.

The default value is recommended.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The maximum number (set using the dot1x retry command) of times an authentication request is sent to an 802.1x user includes the number of times an authentication request packet is sent when the user is offline and the number of times a handshake request packet is sent when the user is online.

If a user does not respond in the specified period of time (set using the dot1x timer command) after the device sends an authentication request to the user, the device sends the authentication request again. If the device still fails to receive the response from the offline user when the number of sent authentication request packets reaches the limit, the device stops initiating authentication. The authentication fails. If the device still fails to receive the response from the online user when the number of sent handshake request packets reaches the limit, the device considers that the user is offline, and sets the user to offline state.

NOTE:
  • After you run the dot1x retry command, the setting takes effect on all interfaces enabled with 802.1x authentication.
  • Repeated authentication requests occupy a lot of system resources. When using the dot1x retry command, you can set the maximum number of times according to user requirements and device resources. The default value is recommended.
  • The interval for sending authentication requests is set using the dot1x timer command. The interval for sending authentication requests to offline users is controlled by the tx-period and client-timeout timer, and the interval for sending authentication requests to online users is controlled by the handshake-period timer.
  • The dot1x retry command is used together with the guest VLAN function (for details, see authentication guest-vlan). If a user does not respond within the specified maximum number of times, the user is added to the guest VLAN so that the user can access resources in the guest VLAN without being authenticated.

Example

# Set the maximum number of times an authentication request is sent to an 802.1x user to 4.

<Huawei> system-view
[Huawei] dot1x retry 4

dot1x timer

Function

The dot1x timer command sets values of timers used in 802.1x authentication.

The undo dot1x timer command restores the default settings of timers used in 802.1x authentication.

By default, the values of timers used in 802.1x authentication are not set.

Format

dot1x timer { client-timeout client-timeout-value | handshake-period handshake-period-value | quiet-period quiet-period-value | tx-period tx-period-value | mac-bypass-delay delay-time-value }

undo dot1x timer { client-timeout | handshake-period | quiet-period | tx-period | mac-bypass-delay }

Parameters

Parameter

Description

Value

client-timeout client-timeout-value

Specifies the timeout interval of the authentication response from the client.

For details, see dot1x retry.

The value is an integer that ranges from 1 to 120, in seconds.

By default, the timeout interval of the authentication response from the client is 5 seconds.

handshake-period handshake-period-value

Specifies the handshake interval between the device and 802.1x authentication client.

For details, see dot1x handshake.

The value is an integer that ranges from 5 to 7200, in seconds.

By default, the interval for sending handshake packets is 15 seconds.

quiet-period quiet-period-value

Specifies the quiet period.

For details, see dot1x quiet-period.

The value is an integer that ranges from 1 to 3600, in seconds.

By default, the quiet period of a user who fails authentication is 60 seconds.

tx-period tx-period-value

Specifies the interval for sending authentication requests.

The device starts the tx-period timer in either of the following situations:
  • When the client initiates authentication, the device sends a unicast Request/Identity request packet to the client and starts the tx-period timer. If the client does not respond within the period set by the timer, the device retransmits the authentication request packet.
  • To authenticate the 802.1x clients that cannot initiate authentication, the device sends multicast Request/Identity packets through the 802.1x-enabled interface to the clients at the interval set by the tx-period timer.

The value is an integer that ranges from 1 to 120, in seconds.

By default, the interval for sending authentication requests is 30 seconds.

mac-bypass-delay delay-time-value

Specifies the value of the delay timer for MAC address bypass authentication.

After MAC address bypass authentication is configured, the device performs 802.1x authentication and starts the delay timer for MAC address bypass authentication. If 802.1x authentication fails after the value of the delay timer is reached, the device performs MAC address bypass authentication.

The value is an integer that ranges from 1 to 300, in seconds.

By default, the value of the delay timer for MAC address bypass authentication is 30s.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

During 802.1x authentication, multiple timers implement systematic interactions between access users, access devices, and the authentication server. You can change the values of the timers using the dot1x timer command to adjust the interaction process. (The values of some timers cannot be changed.) This command is necessary in special network environments. Generally, the default settings of the timers are recommended.

Example

# Set the timeout interval of the authentication response from the client to 90s.

<Huawei> system-view
[Huawei] dot1x timer client-timeout 90

dot1x timer reauthenticate-period

Function

The dot1x timer reauthenticate-period command sets the re-authentication interval for 802.1x authentication users.

The undo dot1x timer reauthenticate-period command restores the default re-authentication interval.

By default, the re-authentication interval is 3600 seconds.

Format

dot1x timer reauthenticate-period reauthenticate-period-value

undo dot1x timer reauthenticate-period

Parameters

Parameter

Description

Value

reauthenticate-period-value

Specifies the re-authentication interval for 802.1x address authentication users.

The value is an integer that ranges from 60 to 7200, in seconds.

Views

System view, Ethernet interface view, GE interface view

Default Level

2: Configuration level

Usage Guidelines

After enabling the re-authentication function for online 802.1x authentication users using the dot1x reauthenticate command, run the dot1x timer reauthenticate-period command to set the re-authentication interval. The device then authenticates online users at the specified interval, ensuring that only authorized users can keep online.

If the command is executed in the system view, the function takes effect on all interfaces. If the command is executed in both system view and interface view, the function takes effect on the interface.

Example

# Set the 802.1x re-authentication interval to 7200 seconds.

<Huawei> system-view
[Huawei] dot1x timer reauthenticate-period 7200
Related Topics

dot1x url

Function

The dot1x url command configures the redirect-to URL in 802.1x authentication.

The undo dot1x url command cancels the redirect-to URL configuration in 802.1x authentication.

By default, no redirect-to URL is configured in 802.1x authentication.

Format

dot1x url url-string

undo dot1x url

Parameters

Parameter Description Value
url-string Specifies the redirect-to URL. The value is a string of 1 to 200 case-sensitive characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In the early stage of network deployment, 802.1x client deployment is difficult with heavy workload. You can run the dot1x url command to set the redirect-to URL to the 802.1x client download web page address. When a user uses a web browser to access websites other than the free IP subnet, the device redirects the user to the redirect-to URL where the user can download and install the 802.1x client software after receiving the HTTP packet from the user.

Follow-up Procedure

Run the dot1x free-ip command to configure a free IP subnet where the redirect-to URL of the 802.1x user is located.

Precautions

The redirect-to URL must be within the free IP subnet. Otherwise, the URL is inaccessible.

Example

# Configure the redirect-to URL in 802.1x authentication to http://www.123.com.cn.

<Huawei> system-view
[Huawei] dot1x url http://www.123.com.cn

dot1x mc-trigger

Function

The dot1x mc-trigger enables multicast-triggered 802.1x authentication.

The undo dot1x mc-trigger disables multicast-triggered 802.1x authentication.

By default, multicast-triggered 802.1x authentication is enabled.

Format

dot1x mc-trigger

undo dot1x mc-trigger

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a client (for example, the built-in 802.1x client of the Windows operating system) cannot send an EAPOL-Start packet to perform 802.1x authentication, you can enable multicast-triggered 802.1x authentication. After that, the device multicasts an Identity EAP-Request frame to the client to trigger authentication.
NOTE:

When the access control mode on the device interface is based on the MAC address, the dot1x mc-trigger command does not take effect.

Prerequisites

802.1x authentication has been enabled globally and on the interface using the dot1x enable command.

Example

# Enable multicast-triggered 802.1x authentication.

<Huawei> system-view
[Huawei] dot1x mc-trigger
Related Topics

mac-authen

Function

The mac-authen command enables MAC address authentication globally or on an interface.

The undo mac-authen command disables MAC address authentication globally or on an interface.

By default, MAC address authentication is disabled globally and on an interface.

Format

In the system view:

mac-authen [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

undo mac-authen [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

In the interface view:

mac-authen

undo mac-authen

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, Ethernet interface view, GE interface view, WLAN-ESS interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

MAC address authentication controls network access rights of a user based on the user's access interface and MAC address. During MAC address authentication, the user name and password are the user's MAC address. MAC address authentication is applicable to the scenario where MAC addresses are unchanged and high security is not required, and is used to authenticate terminals such as printers where the authentication client cannot be installed.

If you run the mac-authen command in the system view without any interfaces specified, MAC address authentication is enabled globally. The configurations of MAC address authentication take effect only after global MAC address authentication is enabled. MAC address bypass authentication is not controlled by this command.

To enable MAC address authentication on an interface, you can perform either of the following operations:
  • Run the mac-authen command in the interface view.
  • Run the mac-authen interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> command in the system view.

Precautions

  • Before running the undo mac-authen command, ensure that there is no online MAC address authentication user; otherwise, you cannot run this command. Online MAC address authentication users do not include online users using MAC address bypass authentication.

  • After the static MAC address entry is configured using the mac-address static mac-address interface-type interface-number vlan vlan-id command, the user corresponding to the entry cannot pass MAC address authentication.
  • The mac-authen command cannot be used together with the following commands on the same interface.

    Command

    Function

    mac-limit

    Sets the maximum number of MAC addresses that can be learned by an interface.

    mac-address learning disable

    Disables MAC address learning on an interface.

    port link-type dot1q-tunnel

    Sets the link type of an interface to QinQ.

    port-security enable

    Enables interface security.

Example

# Enable global MAC address authentication.

<Huawei> system-view
[Huawei] mac-authen

# Enable MAC address authentication on Eth0/0/1 in the system view.

<Huawei> system-view
[Huawei] mac-authen
[Huawei] mac-authen interface ethernet 0/0/1

# Enable MAC address authentication on Eth0/0/1 in the interface view.

<Huawei> system-view
[Huawei] mac-authen
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] mac-authen

mac-authen domain

Function

The mac-authen domain command configures an authentication domain for MAC address authentication users.

The undo mac-authen domain command restores the global default authentication domain for MAC address authentication users.

The default authentication domain for MAC address authentication users is the global default domain.

Format

In the system view:

mac-authen domain isp-name [ mac-address mac-address mask mask ]

undo mac-authen domain [ isp-name [ mac-address mac-address ] | [ mac-address { mac-address | all } ] ]

In the interface view:

mac-authen domain isp-name

undo mac-authen domain

Parameters

Parameter

Description

Value

isp-name

Specifies the ISP domain name.

The value is a string of 1 to 64 case-insensitive characters without any space, asterisk (*), question mark (?), quotation mark ("), hyphen (-) or consecutive hyphens (--).

mac-address mac-address

Specifies an authentication domain for the MAC address authentication user with a specified MAC address.

The value is in H-H-H format. H contains 1 to 4 hexadecimal digits.

mask mask

Specifies the mask of a MAC address.

The value is in H-H-H format. H contains 1 to 4 hexadecimal digits.

all

Restores the global default domain for all MAC address authentication users.

-

Views

System view, Ethernet interface view, GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When user names for MAC address authentication do not contain domain names, the device authenticates users using the default domain if no authentication domain is configured on the device or interface. The authentication scheme is not flexible because all users are authenticated in the default domain. The mac-authen domain command specifies the authentication domains for MAC address authentication users. Different interfaces can be located in different authentication domains. This command can specify the authentication domains for the specified MAC addresses. Therefore, this command allows users with different authentication requirements to adopt various authentication schemes.

NOTE:
  • If the user name contains a domain name (configured using mac-authen username), the user is authenticated in this domain.

  • The specified user names and domain names must be the same as those configured in the AAA view.

  • The authentication schemes in the domains are configured in the AAA view.

Prerequisites

The domain to be configured as an authentication domain has been created using the domain(AAA view) command.

MAC address authentication has been enabled globally and on an interface using the mac-authen command.

Precautions

If authentication domains are configured in both the system view and interface view, the domain configured in the interface view takes effect. If no authentication domain is configured in the interface view, the domain configured in the system view takes effect.

You must specify a unicast MAC address in the mac-authen domain command. A user with an all-0 MAC address is not authenticated.

The configured authentication domain is applied to the MAC addresses calculated with the mask. Therefore, the undo mac-authen domain command will delete the authentication domain of the calculated MAC addresses. Before running the undo mac-authen domain command, run the display this command to view the calculated MAC addresses.

On a network configured with both 802.1x authentication and MAC address bypass authentication, an 802.1x user failing the 802.1x authentication will be authenticated in the manner of MAC address bypass authentication. If the authentication scheme of MAC address bypass authentication is none authentication, the user can go online successfully without being authenticated. To prevent such unauthorized authentication, use the mac-authen domain command to specify different domains for the two authentication methods.

Example

# Configure the cams domain as the authentication domain for MAC address authentication users in the system view.

<Huawei> system-view
[Huawei] mac-authen domain cams
# Configure the cams domain as the authentication domain for MAC address authentication users in the interface view.
<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] mac-authen domain cams

mac-authen max-user

Function

The mac-authen max-user command sets the maximum number of MAC address authentication users on an interface.

The undo mac-authen max-user command restores the default value of the maximum number of MAC address authentication users on an interface.

By default, the number of MAC address authentication users is the maximum number of MAC address authentication users supported by the device.

Format

In the system view:

mac-authen max-user user-number interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo mac-authen max-user [ user-number ] interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

mac-authen max-user [ user-number ] user-number

undo mac-authen max-user

Parameters

Parameter

Description

Value

user-number

Specifies the maximum number of MAC address authentication users on an interface.

The value is an integer that ranges from 1 to 160.

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, Ethernet interface view, GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To limit the number of MAC address authentication users on an interface, run the mac-authen max-user command. When the number of access users on an interface reaches the limit, the device will not trigger authentication for the users newly connected to the interface; therefore, these users cannot access the network.

Prerequisites

MAC address authentication has been enabled globally and on an interface using the mac-authen command.

Example

# Set the maximum number of MAC address authentication users on Eth0/0/1 to 8 in the system view.

<Huawei> system-view
[Huawei] mac-authen max-user 8 interface ethernet 0/0/1

# Set the maximum number of MAC address authentication users on Eth0/0/1 to 8 in the interface view.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] mac-authen max-user 8

mac-authen quiet-times

Function

The mac-authen quiet-times command configures the maximum number of authentication failures within 60 seconds before a MAC authentication user enters the quiet state.

The undo mac-authen quiet-times command restores the maximum number of authentication failures to the default value.

By default, the maximum number of authentication failures is 1.

Format

mac-authen quiet-times fail-times

undo mac-authen quiet-times

Parameters

Parameter

Description

Value

fail-times

Specifies the maximum number of authentication failures before a MAC authentication user enters the quiet state.

The value is an integer that ranges from 1 to 10. The default value is 1.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The quiet function for MAC address authentication is enabled on a device by default. When the maximum number of authentication failures exceeds 1, the device quiets a MAC authentication user and does not process authentication requests from the user, reducing impact on the system caused by attackers.

If a user enters an incorrect user name or password for the first authentication, the user fails the authentication and enters the quiet state because the maximum number of authentication failures is 1. The user cannot immediately initiate reauthentication. To solve this problem, you can run this command to set the maximum number of authentication failures to a value larger than 1.

Precautions

After the maximum number of authentication failures is set to a value larger than 1, the user in quiet state can initiate reauthentication only after the quiet period expires. If the user enters an incorrect user name or password again, the user authentication fails. The device does not quiet the user but allows the user to initiate reauthentication immediately.

Example

# Set the maximum number of authentication failures within 60 seconds to 4.

<Huawei> system-view
[Huawei] mac-authen quiet-times 4

mac-authen reauthenticate

Function

The mac-authen reauthenticate command enables periodic MAC address re-authentication on a specified interface.

The undo mac-authen reauthenticate command disables periodic MAC address re-authentication on a specified interface.

By default, periodic MAC address re-authentication is enabled on a specified interface.

Format

In the system view:

mac-authen reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo mac-authen reauthenticate interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

mac-authen reauthenticate

undo mac-authen reauthenticate

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, Ethernet interface view, GE interface view, WLAN-ESS interface view

Default Level

2: Configuration level

Usage Guidelines

After modifying the authentication information of an online user on the authentication server, the administrator needs to re-authenticate the user in real time to ensure user validity.

After the user goes online, the device saves user authentication information. After periodic re-authentication for all online MAC address authentication users on a specified interface is enabled using the mac-authen reauthenticate command, the device sends the stored authentication information of the online user on the interface to the authentication server for re-authentication at an interval. If the user's authentication information does not change on the authentication server, the user is online normally. If the authentication information has been changed, the user is forced to go offline. The user then needs to be re-authenticated according to the changed authentication information.
NOTE:

The re-authentication interval is set using the mac-authen timer reauthenticate-period command.

If the device is connected to a server for re-authentication and the server replies with a re-authentication deny message that makes an online user go offline, it is recommended that you locate the cause of the re-authentication failure on the server or disable the re-authentication function on the device.

Example

# Enable periodic MAC address re-authentication on Eth0/0/1 in the system view.

<Huawei> system-view
[Huawei] mac-authen reauthenticate interface ethernet 0/0/1

# Enable periodic MAC address re-authentication on Eth0/0/1 in the interface view.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] mac-authen reauthenticate
Related Topics

mac-authen reauthenticate mac-address

Function

The mac-authen reauthenticate mac-address command enables re-authentication for an online MAC address authentication user with a specified MAC address.

By default, re-authentication for an online MAC address authentication user with a specified MAC address is disabled.

Format

mac-authen reauthenticate mac-address mac-address

Parameters

Parameter

Description

Value

mac-address

Specifies all valid unicast MAC addresses.

The value is in H-H-H format. H contains 1 to 4 hexadecimal digits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

For details, see mac-authen reauthenticate.

The mac-authen reauthenticate mac-address and mac-authen reauthenticate commands re-authenticate online MAC address authentication users and their difference is as follows:
  • The mac-authen reauthenticate mac-address command configures the device to immediately re-authenticate a user with a specified MAC address for once.
  • The mac-authen reauthenticate command configures the device to re-authenticate all online MAC address authentication users on a specified interface at intervals.

Example

# Enable re-authentication for an online MAC address authentication user with the MAC address 0001-0002-0003.

<Huawei> system-view
[Huawei] mac-authen reauthenticate mac-address 0001-0002-0003
Related Topics

mac-authen timer

Function

The mac-authen timer command configures parameters of timers for MAC address authentication.

The undo mac-authen timer command restores the default parameter values of timers for MAC address authentication.

Format

mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect offline-detect-value | quiet-period quiet-value }

undo mac-authen timer { guest-vlan reauthenticate-period | offline-detect | quiet-period }

Parameters

Parameter

Description

Value

guest-vlan reauthenticate-period interval

Specifies the interval for re-authenticating users in the Guest VLAN.

The value is an integer that ranges from 60 to 3600, in seconds. The default value is 60.

offline-detect offline-detect-value

Specifies the interval for detecting online users.

The timer is used to periodically check whether a user is offline.

The value is an integer that ranges from 30 to 7200, in seconds. The default value is 300.

quiet-period quiet-value

Specifies the value of the quiet timer. If a user fails authentication, the device does not process the user's authentication requests until the quiet timer expires. During the quiet period, the device does not process the user's authentication requests.

The value is an integer that ranges from 0 to 3600, in seconds.

By default, the quiet period of a user who fails authentication is 60 seconds.

NOTE:

When the quiet timer is set to 0, the quiet function is disabled.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

During MAC address authentication, multiple timers implement systematic interactions between access users or devices and the authentication server. You can change the values of the timers by running the mac-authen timer command to adjust the interaction process. (The values of some timers cannot be changed.) This command is necessary in special network environments. Generally, the default settings of the timers are recommended.

Example

# Set the value of the quiet timer to 60 seconds.

<Huawei> system-view
[Huawei] mac-authen timer quiet-period 60

mac-authen timer reauthenticate-period

Function

The mac-authen timer reauthenticate-period command sets the re-authentication interval for MAC address authentication users.

The undo mac-authen timer reauthenticate-period command restores the default re-authentication interval.

The default re-authentication interval for MAC address authentication users in the system view is 1800 seconds, and the re-authentication interval in the interface view is the same as the re-authentication interval configured in the system view.

Format

mac-authen timer reauthenticate-period reauthenticate-period-value

undo mac-authen timer reauthenticate-period

Parameters

Parameter

Description

Value

reauthenticate-period-value

Specifies the re-authentication interval for MAC address authentication users.

The value is an integer that ranges from 60 to 7200, in seconds.

Views

System view, Ethernet interface view, GE interface view

Default Level

2: Configuration level

Usage Guidelines

After enabling the re-authentication function for online MAC address authentication users using the mac-authen reauthenticate command, run the mac-authen timer reauthenticate-period command to set the re-authentication interval. The device then authenticates online users at the specified interval, ensuring that only authorized users can keep online.

If the command is executed in the system view, the function takes effect on all interfaces. If the command is executed in both system view and interface view, the function takes effect on the interface.

Example

# Set the re-authentication interval for online MAC address authentication users to 3600 seconds.

<Huawei> system-view
[Huawei] mac-authen timer reauthenticate-period 3600

mac-authen username

Function

The mac-authen username command configures the user name format for MAC address authentication.

The undo mac-authen username restores the default user name format.

By default, the MAC address without hyphens (-) is used as the user name and password for MAC address authentication.

Format

mac-authen username { fixed username [ password cipher password ] | macaddress [ format { with-hyphen | without-hyphen } [ password cipher password ] ] }

undo mac-authen username [ fixed username [ password cipher password ] | macaddress [ format { with-hyphen | without-hyphen } [ password cipher password ] ] ]

Parameters

Parameter

Description

Value

fixed username

Specifies the fixed user name for MAC address authentication.

The value is a string of 1 to 64 case-sensitive characters without spaces.

password cipher password

Specifies the password displayed in cipher text for MAC address authentication.
  • The user with a fixed name can log in without a password if no password is set. This brings a security risk and is not recommended.
  • When a MAC address is used as the user name, the MAC address can be used as the password if no password is set. When local authentication is specified in the AAA authentication scheme, you must set a password.
NOTE:

In WLAN-ESS interface view, the parameter is obligatory.

The value is a string of 48 characters in cipher text, or a string of 1 to 16 characters in plain text.

NOTE:

To improve security, it is recommended that the password contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 6 characters.

macaddress

Specifies that the user name in MAC address authentication is the MAC address.

-

format

Specifies the format of the MAC address.

-

with-hyphen

Specifies that the MAC address with hyphens is used as the user name, for example, 0005-e01c-02e3.

-

without-hyphen

Specifies that the MAC address without hyphens is used as the user name, for example, 0005e01c02e3.

-

Views

System view, Ethernet interface view, GE interface view, WLAN-ESS interface view, WLAN-BSS interface view

Default Level

2: Configuration level

Usage Guidelines

MAC address authentication uses two user name formats: MAC address and fixed user name.
  • When the MAC address is used as the user name for MAC address authentication, the password can be the MAC address or a self-defined character string.
  • When the fixed user name is used for MAC address authentication, the user uses the fixed user name and password set by the administrator for authentication.
By default, the device uses the user's MAC address as the user name and password, and sends the MAC address to the authentication server for authentication. Therefore, it is inconvenient to identify and manage users. You can run the mac-authen username command to configure the fixed name and password for MAC address authentication users, which facilities user identification and management.
NOTE:

When the user name format in MAC address authentication is configured, ensure that the authentication server supports this format.

Example

# Configure the MAC address with hyphens as the user name for MAC address authentication.

<Huawei> system-view
[Huawei] mac-authen username macaddress format with-hyphen

nginx enable

Function

The nginx enable command enables the Nginx server.

The undo nginx enable command disables the Nginx server.

By default, the Nginx server is disabled.

Format

nginx enable

undo nginx enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The AR routers have an embedded Nginx server. The Nginx server functions as a web server to provide web services for passengers through mobile terminals and a running environment for the Portal authentication function.

By default, the Nginx server is disabled on a started device. You can run the nginx enable command to enable the Nginx server.

Precautions

The Nginx configuration file must be in correct format and successfully loaded; otherwise, the Nginx server cannot be enabled.

NOTE:

Only the AR511GW-L-B3, AR511GW-LAV2M3, AR511GW-LM7, AR511CGW-LAV2M3, AR503GW-LcM7, AR503GW-LM7, and AR503GW-LM7 support the Nginx server.

Example

# Enable the Nginx server.

<Huawei> system-view
[Huawei] nginx enable
Info: Nginx has been started. 

nginx load

Function

The nginx load command configures the device to load the Nginx configuration file to the Nginx server when the server is enabled.

NOTE:

The Nginx configuration file has a name extension .conf.

Format

nginx load { default | file-name }

Parameters

Parameter

Description

Value

default

Loads the default Nginx configuration file.

-

file-name

Loads the Nginx configuration file stored in the specified directory of a storage medium, such as the flash memory and SD card.

NOTE:

If you specify only the file name but not the directory, the device loads the Nginx configuration file in the current storage directory (root directory of the flash memory).

The value is a character string of 6 to 64 case-insensitive characters without spaces.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The Nginx configuration file defines web services provided by the Nginx server. Usually, a default Nginx configuration file is placed in the configuration directory of the AR routers before delivery and defines basic web services. When the Nginx server is enabled for the first time, the device loads the default Nginx configuration file to the Nginx server.

If you expect to extend web services provided by the Nginx server, place a new Nginx configuration file in the flash memory or SD card and then run the nginx load file-name command to load the configuration file to the Nginx server.

Precautions

  • After the nginx load file-name command is run, the loaded Nginx configuration file is protected in the flash memory or SD card and cannot be modified or deleted.

  • If you repeatedly load Nginx configuration files of different names in the system view, only the latest configuration file takes effect.

  • After the Nginx configuration file is successfully loaded, run the undo nginx enable and nginx enable command in sequence to enable the Nginx server and make the configuration file take effect.

  • If you restart the device without saving configurations, the Nginx server still uses the last loaded configuration file on restart.

NOTE:

Only the AR511GW-L-B3, AR511GW-LAV2M3, AR511GW-LM7, AR511CGW-LAV2M3, AR503GW-LcM7, AR503GW-LM7, and AR503GW-LM7 support the Nginx server.

Example

# Load the default Nginx configuration file.

<Huawei> system-view
[Huawei] nginx load default
Info: Load nginx config file successful. 
[Huawei] nginx enable
Info: Nginx has been started. 

# Load the Nginx configuration file in the root directory of the flash memory.

<Huawei> cd flash:
<Huawei> system-view
[Huawei] nginx load test.conf
Info: Load nginx config file successful. 
[Huawei] undo nginx enable
[Huawei] nginx enable
Info: Nginx has been started. 

nginx proxy port

Function

The nginx proxy port command configures the port number of the Nginx proxy server.

The undo nginx proxy port command deletes the port number of the Nginx proxy server.

By default, the port number is 81 configured for the Nginx proxy server.

Format

nginx proxy port { default | port-number }

undo nginx proxy port

Parameters

Parameter Description Value
default Specifies the default port for the Nginx proxy server.
NOTE:
The default port number is 81.
-
port-number

Specifies the port number for the Nginx proxy server.

NOTE:

The configured port number must be the same as the Nginx port number included in the Nginx configuration file.

The value is an integer that ranges from 1 to 65535.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The AR router has a built-in Nginx server, which functions as a web server. The server supports independent portal authentication of the router as well as provides web service to the mobile terminals of passengers. To configure the port number for the Nginx proxy server, run the nginx proxy port command. When an AR receives an HTTP request packet from a user to the Internet, traffic is forwarded to the interface where Nginx server is enabled. Then the Nginx server provides services such as web service to users.

Precautions
  • Before using this command, run the ngnix enable command to enable the Nginx server.

  • The configured port number must be the same as the Nginx port number included in the Nginx configuration file.

NOTE:

Only the AR511GW-L-B3, AR511GW-LAV2M3, AR511GW-LM7, AR511CGW-LAV2M3, AR503GW-LcM7, AR503GW-LM7, and AR503GW-LM7 support the Nginx server.

Example

# Set the port number of Ngnix proxy server to 100.
<Huawei> system-view
[Huawei] nginx proxy port 100

parameter

Function

The parameter command sets the characters used in URL.

The undo parameter command restores the default characters.

By default, the start character is ?, assignment character is =, and delimiter is &.

Format

parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } *

undo parameter { start-mark parameter-value | assignment-mark parameter-value | isolate-mark parameter-value } *

Parameters

Parameter

Description

Value

start-mark parameter-value

Changes the specified start character to ?.

The value is one case-sensitive character without spaces.

assignment-mark parameter-value

Specifies the assignment character of the URL parameters.

The value is one case-sensitive character without spaces.

isolate-mark parameter-value

Specifies the delimiter between URL parameters.

The value is one case-sensitive character without spaces.

Views

URL template view

Default Level

2: Configuration level

Usage Guidelines

The parameter command allows you to customize the characters in URL.

For example, if the URL configured by the url (URL template view) command in the URL template bound to a Portal server template is http://10.1.1.1, you can add the user MAC address, user IP address, and device system name to the URL by specifying the user_mac, user_ip, and device parameters.

When a user with IP address 10.1.1.11 and MAC address 0002-0002-0002 connects to an access device huawei, the access device redirects the user to http://10.1.1.1?user_mac=0002-0002-0002&user_ip=10.1.1.11&device=huawei for Portal authentication. In the redirection URL, ? is the default start character, = is the default assignment character, & is the delimiter between parameters.

Example

# Change the start character in a URL from # to ?.

<Huawei> system-view
[Huawei] url-template name huawei
[Huawei-url-template-huawei] parameter start-mark #

port (Portal server template view)

Function

The port command sets the port number that a Portal server uses to receive notification packets from the device.

The undo port command restores the default port number.

By default, a Portal server uses port number 50100 to receive packets from the device.

Format

port port-number [ all ]

undo port [ all ]

Parameters

Parameter Description Value
port-number Specifies the port number that the Portal server uses to receive and encapsulate UDP packets from the device. The value is an integer that ranges from 1 to 65535. By default, the value is 50100.
all
Indicates that the device always uses the destination port number specified by port-number to encapsulate UDP packets.
NOTE:

After this keyword is specified, when receiving UDP packets from a Portal server, the device does not obtain the source port number in the UDP packets as the destination port number of UDP packets to be sent to the Portal server. If the value of port-number is different from the source port number of the Portal server, the Portal server cannot receive the UDP packets sent by the device. Therefore, this keyword is not recommended.

-

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After creating a Portal server template on the device using the web-auth-server (system view) command, configure parameters for the template.

Run the port command to set the port number that a Portal server uses to receive notification packets from the device. After receiving a Portal authentication request packet from a user, the device sends the packet to the Portal server using the specified destination port number.

Precautions

Ensure that the port number configured on the device is the same as that used by the Portal server.

Example

# Set the port number that a Portal server uses to receive packets from the device to 10000 in the Portal server template huawei.

<Huawei> system-view
[Huawei] web-auth-server huawei
[Huawei-web-auth-server-huawei] port 10000

portal auth-network

Function

The portal auth-network command configures a source subnet for Portal authentication.

The undo portal auth-network command restores the default source subnet for Portal authentication.

By default, the source subnet for Portal authentication is 0.0.0.0/0, indicating that users in all subnets must pass Portal authentication.

Format

portal auth-network network-address { mask-length | mask-address }

undo portal auth-network { network-address { mask-length | mask-address } | all }

Parameters

Parameter Description Value
network-address Specifies the IP address of the source subnet for Portal authentication. The value is in dotted decimal notation.
mask-length Specifies the mask length. The value is an integer that ranges from 1 to 32.
mask-address Specifies the mask of the source subnet for Portal authentication. The value is in dotted decimal notation.
all Deletes all Portal authentication subnets. -

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the source subnet for Portal authentication is configured, only user packets from the source subnet can trigger Portal authentication. If an unauthenticated user is not on the source subnet for Portal authentication, the device discards the user's packets that do not match Portal authentication free rules.
NOTE:

The command cannot be run on Layer 2 interfaces.

The portal auth-network command takes effect only for Layer 3 Portal authentication. In Layer 2 authentication, users on all network segments must be authenticated.

Prerequisites

Before running this command on an interfaces, ensure that the Portal service template is bound to the interface.

Example

# Set the source subnet for Portal authentication to 192.168.1.0/24 on VLANIF10.

<Huawei> system-view
[Huawei] web-auth-server huawei
[Huawei-web-auth-server-huawei] server-ip 10.1.1.1
[Huawei-web-auth-server-huawei] quit
[Huawei] interface vlanif 10
[Huawei-Vlanif10] web-auth-server huawei
[Huawei-Vlanif10] portal auth-network 192.168.1.0 24

portal captive-bypass enable

Function

The portal captive-bypass enable command enables the CNA bypass function for IOS terminals.

The undo portal captive-bypass enable command disables the CNA bypass function.

By default, the CNA bypass function is disabled for IOS terminals.

Format

portal captive-bypass enable

undo portal captive-bypass enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The IOS operating system provides the Captive Network Assistant (CNA) function. With the CNA function, the IOS terminals (including iPhone, iPad, and iMAC) automatically detects wireless network connectivity after associating with a wireless network. If the network connection cannot be set up, the IOS terminals ask users to enter user names and passwords. If users do not enter the user names and passwords, the IOS terminals automatically disconnect from the wireless network.

However, Portal authentication allows users to access certain resources before authentication is successful. If the IOS terminals are disconnected, users cannot access the specified resources. The CNA bypass function addresses this problem. If the users do not enter user names and passwords immediately, the CNA bypass function keeps the IOS terminals online before the Portal authentication is successful. Therefore, the IOS users are allowed to access authentication-free resources.

Example

# Enable the CNA bypass function for IOS terminals.

<Huawei> system-view
[Huawei] portal captive-bypass enable

portal domain

Function

The portal domain specifies a forcible Portal authentication domain.

The undo portal domain command deletes a forcible Portal authentication domain.

By default, no forcible Portal authentication domain is specified.

Format

portal domain domain-name

undo portal domain

Parameters

Parameter Description Value
domain-name Specifies the forcible Portal authentication domain. The value is a string of 1 to 64 case-insensitive characters without any space, asterisk (*), question mark (?), or quotation mark (").

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

To flexibly deploy access policies for Portal authentication users, the administrator can run the portal domain command to configure a forcible Portal authentication domain.

After a forcible Portal authentication domain is configured on an interface, the device uses the specified authentication domain to authenticate, authorize, and charge Portal authentication users on the interface, ignoring the domain names carried in the user names. The administrator can specify different authentication domains for different interfaces as needed.

NOTE:

The command cannot be run on Layer 2 interfaces.

Example

# Set the forcible Portal authentication domain to abc on VLANIF 10.

<Huawei> system-view
[Huawei] interface vlanif 10
[Huawei-Vlanif10] portal domain abc

portal free-rule

Function

The portal free-rule command configures the Portal authentication-free rule for users.

The undo portal free-rule command restores the default configuration.

By default, no Portal authentication-free rule is configured.

Format

portal free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } | any } } | source { any | ip { ip-address mask { mask-length | ip-mask } | any } } } *

portal free-rule acl acl-id

undo portal free-rule { rule-id | acl | all }

Parameters

Parameter Description Value
rule-id

Specifies the ID of the Portal authentication-free rule.

The value is an integer that ranges from 0 to 31.

NOTE:

If Efficient VPN is configured on the device and the Network-auto-cfg mode is configured, the authentication-free rules with the IDs 0 to 4 may be used. In this scenario, you should not configure the authentication-free rules with the IDs 0 to 4.

destination

Specifies the destination network resources that the authentication-free users can access.

-
source

Specifies the source information of the authentication-free users.

-
any

Specifies any condition. When any is used together with different keywords, the effect of the command is different.

-
ip ip-address

Specifies the IP address in the rule. This parameter can specify the source or destination address depending on the keyword.

The value is in dotted decimal notation.
mask mask-length

Specifies the mask length of an IP address. This parameter can specify the source or destination address mask depending on the keyword.

The value is an integer that ranges from 1 to 32.
mask ip-mask

Specifies the IP address mask. This parameter can specify the source or destination address mask depending on the keyword.

The value is in dotted decimal notation.
acl acl-id

Specifies an ACL number.

The value is an integer that ranges from 6000 to 6031.

all

Specifies all rules.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A user cannot access the network before being authenticated successfully. You can configure an authentication-free rule for specified users to access certain network resources without passing the Portal authentication. An authentication-free rule can be determined by parameters such as the IP address, MAC address, interface, and VLAN. An authentication-free rule can also be determined by ACL rules. The destination IP address that users can access without authentication can be specified in an authentication-free rule defined by either of the two methods. In addition, the destination domain name that users can access without authentication can be specified in an authentication-free rule defined by ACL.

For example, some authentication users who do not have an authentication account must first log in to the official website of a carrier and apply for a member account, or log in using the account of a third party such as Twitter or Facebook. This requires that the users can access specified websites before successful authentication. The domain name of a website is easier to remember than the IP address; therefore, the authentication-free rule defined by ACL can be configured to enable the users to access the domain names of websites without authentication.

Precautions

  • When multiple authentication-free rules are configured, the system matches the rules one by one.
  • An authentication-free rule defined by rule-id and an authentication-free rule defined by ACL cannot be configured at the same time. When multiple authentication-free rules defined by rule-id are configured, the system matches the rules one by one. When multiple authentication-free rules defined by ACL are configured, only the last one takes effect.
  • Only one ACL can be bound by executing the portal free-rule acl acl-id command. In addition, the IP address configured for the user ACL by using the rule command (with the protocol being IP) conflicts with the IP address configured using the portal free-rule command.
  • If the VLAN is used to determine authentication-free users, the VLANIF interface corresponding to the VLAN must be bound to a Portal server using the web-auth-server (interface view) command; otherwise, the configuration is invalid for users in the VLAN.
  • Before using an authentication-free rule defined by ACL, run the rule command in the ACL view to create an ACL rule.
  • You can only add or delete rules, but cannot modify the created rules. To modify a rule with a certain rule-id, run the undo portal free-rule command to delete the rule and re-configure it.

Example

# Enable all Portal users to access the network 10.1.1.1/24 without authentication.

<Huawei> system-view
[Huawei] portal free-rule 1 destination ip 10.1.1.1 mask 24 source ip any
# Configure an authentication-free rule defined by ACL 6000.
<Huawei> system-view
[Huawei] portal free-rule acl 6000

portal local-server

Function

The portal local-server command enables the built-in Portal server function.

The undo portal local-server command disables the built-in Portal server function.

By default, the built-in Portal server function is disabled.

Format

portal local-server https ssl-policy policy-name [ port port-num ]

undo portal local-server https

Parameters

Parameter

Description

Value

https

Configures the built-in Portal server to use HTTPS to exchange authentication information with users.

-

ssl-policy policy-name

Specifies the SSL policy used by the built-in Portal server.

NOTE:

policy-name indicates an existing SSL policy.

The value of policy-name is a string of 1 to 31 case-sensitive characters without spaces.

port port-num

Specifies the TCP port number used by HTTPS.

The default port number is used if the parameter is not specified.

The value is an integer that ranges from 1 to 65535.

The default port number is 443.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Compared with the external Portal server, the built-in Portal server is easy to use, cost-effective, and easy to maintain. After the built-in Portal server is configured, the external Portal authentication server is not required. When you run the portal local-server command to enable the built-in Portal server function, configure the built-in Portal server to use HTTPS to exchange authentication information with users. HTTPS is a combination of the HTTP and Secure Sockets Layer (SSL) protocols. If the built-in Portal server is configured to use HTTPS to exchange authentication information with users, an SSL policy must be configured and the digital certificate must be loaded.
NOTE:

You can run the portal local-server enable command to enable the Portal authentication function on the interface only after the built-in Portal server function is enabled.

Prerequisites

  • The IP address for the built-in Portal server has been configured using the portal local-server ip command.

  • The server SSL policy has been configured (for details, see Configuring a Server SSL Policy), and the server SSL policy associated with the HTTPS server has been configured using the http secure-server ssl-policy command.

Precautions

  • When there are online Portal authentication users, the built-in Portal server function cannot be disabled globally and the SSL policy of the built-in Portal server cannot be modified.
  • The SSL policy referenced by the built-in Portal server cannot be deleted.
  • After the built-in Portal server function is enabled globally, the guest VLAN, or restrict VLAN cannot be created.

Example

# Enable the built-in Portal server function and set the SSL policy used by the built-in Portal server to abc.

<Huawei> system-view
[Huawei] ssl policy abc type server
[Huawei-ssl-policy-abc] pki-realm default
[Huawei-ssl-policy-abc] quit
[Huawei] http secure-server ssl-policy abc
[Huawei] portal local-server https ssl-policy abc

portal local-server ad-image load

Function

The portal local-server ad-image load command loads an advertisement image file to the built-in Portal server login page.

The undo portal local-server ad-image load command deletes the advertisement image file loaded to the built-in Portal server login page.

By default, no advertisement image file is loaded to the built-in Portal server login page.

Format

portal local-server ad-image load ad-image-file

undo portal local-server ad-image load

Parameters

Parameter

Description

Value

ad-image-file

Specifies the name of an advertisement image file to be loaded to the built-in Portal server login page.

The size of the advertisement image file must be equal to or less than 256 KB. A file of 670 x 405 pixels is recommended.

The value is a string of 5 to 64 case-insensitive characters without spaces, in the format of [ drive ] [ path ] filename.
  • drive: indicates the storage device name.
  • path: indicates the directory and its subdirectory. The directory name cannot contain the following characters: ~, *, /, \, :, ', and ".
  • filename: indicates the file name. The jpg and png formats are supported, and the file name extension must be .jpg, .jpeg, or .png. If you enter only the file name, the system considers that the file is stored in the default directory.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

There is a blank area on the login page of the default page package used by the built-in Portal server. Users can customize this area by loading an advertisement image file. When the login page needs to be customized based on special requirements, the administrator can upload the user-defined advertisement image file to the device and run the portal local-server ad-image load command. After the advertisement image file is loaded, the user-defined advertisement images are displayed on the built-in Portal server login page for authentication.

Prerequisites

The user-defined advertisement image file must have been uploaded to the device.

Example

# Load the advertisement image file ad.png to the built-in Portal server login page.

<Huawei> system-view
[Huawei] portal local-server ad-image load flash:/ad.png
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully. 

portal local-server authentication-method

Function

The portal local-server authentication-method command configures the authentication mode for Portal users on the built-in Portal server.

The undo portal local-server authentication-method command restores the default authentication mode for Portal users on the built-in Portal server.

By default, the built-in Portal server uses CHAP to authenticate Portal users.

Format

portal local-server authentication-method { chap | pap }

undo portal local-server authentication-method

Parameters

Parameter

Description

Value

chap

Indicates that the built-in Portal server uses CHAP to authenticate Portal users.

-

pap

Indicates that the built-in Portal server uses PAP to authenticate Portal users.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Password Authentication Protocol (PAP) is a two-way handshake authentication protocol. It transmits passwords in plain text format in RADIUS packets.

Challenge Handshake Authentication Protocol (CHAP) is a three-way handshake authentication protocol. It transmits only user names using RADIUS packets, but does not transmit passwords. CHAP is more secure and reliable than PAP. If high security is required, CHAP is recommended.

Prerequisites

The built-in Portal server function has been enabled globally using the portal local-server command.

Example

# Configure the built-in Portal server to use PAP to authenticate Portal users.

<Huawei> system-view
[Huawei] portal local-server authentication-method pap

portal local-server background-color

Function

The portal local-server background-color command configures the background color of the built-in Portal server login page.

The undo portal local-server background-color command cancels the background color configured for the built-in Portal server login page.

By default, no background color of the built-in Portal server login page is configured.

Format

portal local-server background-color background-color-value

undo portal local-server background-color

Parameters

Parameter

Description

Value

background-color-value

Specifies the background color of the built-in Portal server login page.

The value is a string that ranges from #000000 to #FFFFFF in the RGB format.

The hexadecimal code is used to indicate the page color, and the format is always #DEFABC (A-F and 0-9).

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Users can customize the login page of the default page package used by the built-in Portal server. The administrator can configure the background color of the login page.

Example

# Configure the user-defined background color of the built-in Portal server.

<Huawei> system-view
[Huawei] portal local-server background-color #AABBCC

portal local-server background-image load

Function

The portal local-server background-image load command loads a background image file to the built-in Portal server login page.

The undo portal local-server background-image load command deletes the background image file loaded to the built-in Portal server login page.

By default, the device has two background images default-image0 and default-image1. The built-in Portal server uses default-image0 as the background image by default.

Format

portal local-server background-image load { background-image-file | default-image1 }

undo portal local-server background-image load

Parameters

Parameter

Description

Value

background-image-file

Specifies the name of the background image file to be loaded to the built-in Portal server login page.

The size of the background image file must be equal to or less than 512 KB. A file of 1366 x 768 pixels is recommended.

The value is a string of 5 to 64 case-insensitive characters without spaces, in the format of [ drive ] [ path ] filename.
  • drive: indicates the storage device name.
  • path: indicates the directory and its subdirectory. The directory name cannot contain the following characters: ~, *, /, \, :, ', and ".
  • filename: indicates the file name. The jpg and png formats are supported, and the file name extension must be .jpg, .jpeg, or .png. If you enter only the file name, the system considers that the file is stored in the default directory.
default-image1

Loads the background image default-image1 to the built-in Portal server login page.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Users can customize the login page of the default page package used by the built-in Portal server. Users can customize background images or select the default ones. When the background image of the login page needs to be customized based on special requirements, the administrator can upload the user-defined background image file to the device and run the portal local-server background-image load command. After the image is loaded, the user-defined background image file is displayed on the built-in Portal server login page for authentication.

Prerequisites

The user-defined background image must have been uploaded to the device.

Example

# Load the background image file bg.png to the built-in Portal server login page.

<Huawei> system-view
[Huawei] portal local-server background-image load flash:/bg.png
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

portal local-server enable

Function

The portal local-server enable command enables built-in Portal authentication on an interface.

The undo portal local-server enable command disables built-in Portal authentication on an interface.

By default, built-in Portal authentication is disabled on an interface.

Format

In the system view:

portal local-server enable interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

undo portal local-server enable interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10>

In the interface view:

portal local-server enable

undo portal local-server enable

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Specifies the interface type and number.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

Views

System view, interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Compared with the external Portal server, the built-in Portal server is easy to use, cost-effective, and easy to maintain. After built-in Portal authentication is enabled, the external Portal server is not required. After the built-in Portal server function is enabled using the portal local-server command, built-in Portal authentication must be enabled on the interface using the portal local-server enable command to authenticate users on the interface.

Prerequisites

Portal authentication has been enabled globally using the portal local-server command.

Precautions

It is recommended that you enable built-in Portal authentication on a VLANIF interface. The VLANIF interface of a super-VLAN does not support built-in Portal authentication.

Built-in Portal authentication of Layer 3 interfaces cannot be configured using this command in the system view. To enable Portal authentication on VLANIF interfaces, WAN interfaces, or port groups, you can only use the command format in the interface view.

If 802.1x authentication, MAC address authentication, MAC address bypass authentication or built-in Portal authentication is enabled on a Layer 2 interface, this command cannot be executed on the VLANIF interface of a VLAN to which the Layer 2 interface is added.

Example

# Enable built-in Portal authentication on VLANIF 10.

<Huawei> system-view
[Huawei] interface loopback 1
[Huawei-LoopBack1] ip address 10.1.1.1 24
[Huawei-LoopBack1] quit
[Huawei] portal local-server ip 10.1.1.1
[Huawei] ssl policy s1 type server
[Huawei-ssl-policy-s1] pki-realm default
[Huawei-ssl-policy-s1] quit
[Huawei] http secure-server ssl-policy s1
[Huawei] portal local-server https ssl-policy s1 port 1025
[Huawei] vlan batch 10
[Huawei] interface vlanif 10
[Huawei-Vlanif10] portal local-server enable

portal local-server ip

Function

The portal local-server ip command configures an IP address for the built-in Portal server.

The undo portal local-server ip command deletes an IP address of the built-in Portal server.

By default, no IP address is configured for the built-in Portal server.

Format

portal local-server ip ip-address

undo portal local-server ip

Parameters

Parameter

Description

Value

ip-address

Specifies an IP address for the built-in Portal server.

The value is in dotted decimal notation.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the device is used as a built-in Portal server, you can run the portal local-server ip command to configure an IP address for the built-in Portal server. Users are then redirected to the Portal server if they enter URLs that are not located in the free IP subnet.
NOTE:
  • The IP address assigned to the built-in Portal server must have a reachable route to the user.

  • It is recommended that a loopback interface address be assigned to the built-in Portal server because the loopback interface is stable. Additionally, packets destined for loopback interfaces are not sent to other interfaces on the network; therefore, system performance is not deteriorated even if many users request to go online.

  • After users go online through the built-in Portal server, if the interface address or interface (non-physical interface) matching the built-in Portal server's IP address is deleted, online users cannot go offline and offline users cannot go online. Therefore, exercise caution when you delete the interface address or interface.

Example

# Assign the IP address 1.1.1.1 to the built-in Portal server.

<Huawei> system-view
[Huawei] portal local-server ip 1.1.1.1

portal local-server keep-alive

Function

The portal local-server keep-alive command configures the heartbeat detection interval and mode of the built-in Portal server.

The undo portal local-server keep-alive command cancels the configured heartbeat detection interval and mode of the built-in Portal server.

By default, the heartbeat detection function of the built-in Portal server is not configured.

Format

portal local-server keep-alive interval interval-value [ auto ]

undo portal local-server keep-alive

Parameters

Parameter Description Value
interval interval-value

Specifies the heartbeat detection interval of the built-in Portal server.

The value is an integer that ranges from 30 to 7200, in seconds.
auto

Specifies the automatic detection mode.

If this parameter is not configured, the forcible detection mode is specified.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a user closes the browser or an exception occurs, the device can detect the user's online state to determine whether to make the user go offline. The administrator can configure the heartbeat detection function of the built-in Portal server. If the device does not receive a heartbeat packet from the client within a specified period, the user is specified to go offline. The heartbeat detection mode of the built-in Portal server can be either of the following modes:
  • Forcible detection mode: This mode is valid for all users. If the device does not receive a heartbeat packet from a user within a specified period, the device specifies the user to go offline.
  • Automatic detection mode: The device checks whether the client browser supports the heartbeat program. If yes, the forcible detection mode is used for the user; if no, the device does not detect the user. You are advised to configure this mode to prevent users from going offline because the browser does not support the heartbeat program.
    NOTE:

    Currently, the heartbeat program is supported by Internet Explorer 8, FireFox 3.5.2, Chrome 28.0.1500.72, and Opera 12.00 on Windows 7.

    Browsers using Java1.7 and later versions do not support the heartbeat program.

Precautions

When the forcible detection mode is configured, the device specifies users to go offline to prevent from failing to receive heartbeat packets for a long time during network congestion. In this scenario, the heartbeat detection interval must be increased.

If you run this command multiple times in the same view, only the latest configuration takes effect.

Example

# Configure the automatic detection function of the built-in Portal server.

<Huawei> system-view
[Huawei] portal local-server keep-alive interval 60 auto

portal local-server load

Function

The portal local-server load command loads a page file package to the built-in Portal server.

The undo portal local-server load command restores the default configuration.

By default, the built-in Portal server loads the default page file package portalpage.zip.

Format

portal local-server load string

undo portal local-server load

Parameters

Parameter

Description

Value

string

Specifies the name of the page file package to be loaded to the built-in Portal server.

The value is a string of 1 to 64 case-insensitive characters without any space, asterisk (*), question mark (?), or quotation mark (").

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Customized page file packages can be loaded to the built-in Portal server.

Prerequisites

The page file (.zip) has been uploaded from the PC to the device storage media.

Precautions

The default page file package can be modified but cannot be deleted. If it is deleted, the built-in Portal server fails to load the pages after startup.

This function is used by technical support personnel to develop limited page customization based on customer requirements and does not apply to customization by customers themselves.

Example

# Load the page file portalpage_01.zip on the built-in Portal server.

<Huawei> system-view
[Huawei] portal local-server load portalpage_01.zip
Warning: Portal local server has been enabled, and this operation will affect online user, continue?[Y/N]:y   
Info: The loading process may take a few seconds.Please wait for a moment       
Info: Load web file successfully.  

portal local-server logo load

Function

The portal local-server logo load command loads a logo file to the built-in Portal server login page.

The undo portal local-server logo load command deletes the logo file loaded to the built-in Portal server login page.

By default, no logo file is loaded to the built-in Portal server login page.

Format

portal local-server logo load logo-file

undo portal local-server logo load

Parameters

Parameter

Description

Value

logo-file

Specifies the name of the logo file to be loaded to the built-in Portal server login page.

The size of the logo file must be equal to or less than 128 KB. A file of 591 x 80 pixels is recommended.

The value is a string of 5 to 64 case-insensitive characters without spaces, in the format of [ drive ] [ path ] filename.
  • drive: indicates the storage device name.
  • path: indicates the directory and its subdirectory. The directory name cannot contain the following characters: ~, *, /, \, :, ', and ".
  • filename: indicates the file name. The jpg and png formats are supported, and the file name extension must be .jpg, .jpeg, or .png. If you enter only the file name, the system considers that the file is stored in the default directory.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

There is a blank area on the login page of the default page package used by the built-in Portal server. Users can customize this area by loading a logo file. When the login page needs to be customized based on special requirements, the administrator can upload the user-defined logo file to the device and run the portal local-server logo load command. After the logo file is loaded, the user-defined logo is displayed on the built-in Portal server login page for authentication.

Prerequisites

The user-defined logo file must have been uploaded to the device.

Example

# Load the logo file logo.png to the built-in Portal server login page.

<Huawei> system-view
[Huawei] portal local-server logo load flash:/logo.png
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully. 

portal local-server timer session-timeout

Function

The portal local-server timer session-timeout command configures the session timeout interval for built-in Portal authentication users.

The undo portal local-server timer session-timeout command restores the default session timeout interval for built-in Portal authentication users.

By default, the session timeout interval is 8 hours for built-in Portal authentication users.

Format

portal local-server timer session-timeout interval

undo portal local-server timer session-timeout

Parameters

Parameter Description Value
interval

Specifies the session timeout interval for built-in Portal authentication users.

The value is an integer that ranges from 1 to 720, in hours.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Scenario

When built-in Portal authentication is used for users and the device functions as a built-in Portal server, you can configure the session timeout interval for the users. The users are disconnected after the specified session timeout interval. To connect to the network again, the users need to be re-authenticated.

Precautions

The session timeout interval for built-in Portal authentication users is calculated based on the device time. For example, if the session timeout interval is 6 hours and the device time is 2014-09-01 02:00:00 when a user was connected, the user should be disconnected at 2014-09-01 08:00:00. Therefore, ensure that the device time is correct after the session timeout interval is configured for users. If the device time is incorrect, users may fail to be connected or disconnected properly. You can run the display clock command to check the device time and the clock datetime HH:MM:SS YYYY-MM-DD command to configure the time.

Example

# Configure the session timeout interval to 10 hours for built-in Portal authentication users.

<Huawei> system-view
[Huawei] portal local-server timer session-timeout 10

portal max-user

Function

The portal max-user command sets the maximum number of concurrent Portal authentication users allowed to access the device.

The undo portal max-user command restores the default maximum number of concurrent Portal authentication users.

By default, the number of Portal authentication users is the maximum number of Portal authentication users supported by the device.

Format

portal max-user user-number

undo portal max-user

Parameters

Parameter

Description

Value

user-number

Specifies the maximum number of concurrent Portal users.

The value is an integer that ranges from 1 to 160.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can run the portal max-user command to set the maximum number of concurrent Portal authentication users.

Example

# Set the maximum number of concurrent Portal authentication users to 25.

<Huawei> system-view
[Huawei] portal max-user 25

portal local-server page-text load

Function

The portal local-server page-text load command loads a text file or hypertext file to the built-in Portal server login page.

The undo portal local-server page-text load command deletes the text file or hypertext file loaded to the built-in Portal server login page.

By default, no text file or hypertext file is loaded to the built-in Portal server.

Format

portal local-server page-text load string

undo portal local-server page-text load

Parameters

Parameter

Description

Value

string

Specifies the name of the text file or hypertext file to be loaded to the built-in Portal server login page.

The value is a string of 5 to 64 case-insensitive characters without spaces, in the format of [ drive ] [ path ] filename.
  • drive indicates the storage device name.
  • path indicates the directory or sub-directory. The directory name cannot contain the following characters: ~ * / \ : ' "
  • filename indicates the file name. The file name extension must be .txt or .html. If you enter only the file name, the system considers that the file is stored in the default directory.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Users can customize the login page of the default page package used by the built-in Portal server. When the text file or hypertext file of the login page needs to be customized based on special requirements, the administrator can upload the user-defined text file or hypertext file to the device and run the portal local-server page-text load command. After the image is loaded, the user-defined text file or hypertext file is displayed on the built-in Portal server login page for authentication.

Prerequisite

The page file to be loaded has been uploaded to the device.

Precautions

When the to-be-loaded page is customized, the page length and width are fixed. After adjusting the page, the administrator must upload and load the modified page again.

Currently, only Chinese or English page files can be loaded on the device.

Example

# Load the text file or hypertext file page.html to the built-in Portal server.

<Huawei> system-view
[Huawei] portal local-server page-text load flash:/page.html
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully.

portal local-server policy-text load

Function

The portal local-server policy-text load command loads a disclaimer page file to the built-in Portal server.

The undo portal local-server policy-text load command deletes the loaded disclaimer page file.

By default, no disclaimer page file is loaded to the built-in Portal server.

Format

portal local-server policy-text load string

undo portal local-server policy-text load

Parameters

Parameter

Description

Value

string

Specifies the name of the disclaimer page file to be loaded to the built-in Portal server.

The value is a string of 5 to 64 case-insensitive characters without spaces, in the format of [ drive ] [ path ] filename.

  • drive: indicates the storage device name.
  • path: indicates the directory and its subdirectory. The directory name cannot contain the following characters: ~, *, /, \, :, ', and ".
  • filename: indicates the file name. The file name extension must be .txt or .html. If you enter only the file name, the system considers that the file is stored in the default directory.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To customize a disclaimer page, upload the disclaimer page file to the device and run this command to load the file. After the file is loaded, the hyperlink Acceptable Use Policy will be displayed on the login page. You can click the link to visit the disclaimer page.

Prerequisite

The disclaimer page file to be loaded has been uploaded to the device.

Precautions

Currently, only Chinese and English disclaimer page files can be loaded on the device.

Example

# Load the disclaimer page file policy.html to the built-in Portal server.

<Huawei> system-view
[Huawei] portal local-server policy-text load policy.html
Info: The loading process may take a few seconds.Please wait for a moment.
Info: Load web file successfully. 

portal quiet-period

Function

The portal quiet-period command enables the quiet timer for Portal authentication.

The undo portal quiet-period command disables the quiet timer of Portal authentication.

By default, the quiet timer for Portal authentication is disabled.

Format

portal quiet-period

undo portal quiet-period

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the portal quiet-period command is used to enable the quiet timer for Portal authentication. If the number of Portal authentication failures exceeds the value specified by the portal quiet-times command, the device keeps the Portal authentication user in quiet state for a period of time. During the quiet period, the device discards Portal authentication requests from the user. This prevents the impact of frequent authentications on the system.

The quiet period for Portal authentication can be set using the portal timer quiet-period command. After the quiet period is reached, the device re-authenticates the user.

Example

# Enable the quiet timer for Portal authentication.

<Huawei> system-view
[Huawei] portal quiet-period

portal quiet-times

Function

The portal quiet-times command sets the maximum number of authentication failures within 60s before a Portal authentication user is kept in quiet state.

The undo portal quiet-times command restores the default maximum number of authentication failures within 60s before a Portal authentication user enters the quiet state.

By default, the device allows a maximum of three authentication failures within 60s before a Portal authentication user enters the quiet state.

Format

portal quiet-times fail-times

undo portal quiet-times

Parameters

Parameter

Description

Value

fail-times

Specifies the maximum number of authentication failures before a Portal authentication user enters the quiet state.

The value is an integer that ranges from 1 to 10. The default value is 3.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the portal quiet-period command is used to enable the quiet timer, if the number of Portal authentication failures exceeds the value specified by the portal quiet-times command, the device keeps the Portal authentication user in quiet state for a period of time. This prevents the impact of frequent authentications on the system.

Example

# Set the maximum number of Portal authentication failures within 60 seconds to 4.

<Huawei> system-view
[Huawei] portal quiet-times 4

portal timer offline-detect

Function

The portal timer offline-detect command sets the Portal user offline detection interval.

The undo portal timer offline-detect command restores the default Portal user offline detection interval.

By default, the Portal user offline detection interval is 300 seconds.

Format

portal timer offline-detect time-length

undo portal timer offline-detect

Parameters

Parameter Description Value
time-length Specifies the Portal user offline detection interval.

The value is an integer that ranges from 30 to 7200, in seconds. The default value is 300.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a Portal user goes offline due to power failure or network interruption, the device and Portal server may still store the user information, which causes incorrect accounting. Additionally, a limit number of users can access the device. If a user goes offline improperly but the device still stores user information, other users cannot access the network.

After the Portal user offline detection interval is set, if the user does not respond within the interval, the device considers the Portal user offline. The device and Portal server then delete the user information and release resources to ensure an efficient resource use.

Precautions

The portal timer offline-detect command only applies to Layer 2 Portal authentication.

The heartbeat detection function of the authentication server can be used to ensure the normal online status of PC users for whom Layer 3 Portal authentication is used. If the authentication server detects that a user goes offline, it instructs the device to disconnect the user.

Example

# Set the Portal user offline detection interval to 400s.

<Huawei> system-view
[Huawei] portal timer offline-detect 400

portal timer quiet-period

Function

The portal timer quiet-period command sets the quiet period for Portal authentication.

The undo portal timer quiet-period command restores the default quiet period for Portal authentication.

By default, the quiet period for Portal authentication is 60s.

Format

portal timer quiet-period quiet-period-value

undo portal timer quiet-period

Parameters

Parameter

Description

Value

quiet-period-value

Specifies the quiet period for Portal authentication.

The value is an integer that ranges from 10 to 3600, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the portal quiet-period command is used to enable the quiet timer, run the portal timer quiet-period command to set the quiet period for Portal authentication. If a Portal authentication user is kept in quiet state, the device discards Portal authentication requests from the user during the quiet period.

Example

# Set the quiet period to 2000s.

<Huawei> system-view
[Huawei] portal timer quiet-period 2000

portal user-alarm percentage

Function

The portal user-alarm percentage command sets alarm thresholds for the Portal authentication user count percentage.

The undo portal user-alarm percentage command restores the default alarm thresholds for the Portal authentication user count percentage.

By default, the lower alarm threshold for the Portal authentication user count percentage is 50, and the upper alarm threshold for the Portal authentication user count percentage is 100.

Format

portal user-alarm percentage percent-lower-value percent-upper-value

undo portal user-alarm percentage

Parameters

Parameter Description Value
percent-lower-value

Specifies the lower alarm threshold for the Portal authentication user count percentage.

The value is an integer that ranges from 1 to 100.

percent-upper-value

Specifies the upper alarm threshold for the Portal authentication user count percentage.

The value is an integer that ranges from 1 to 100, but must be larger than or equal to the lower alarm threshold.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After running the portal max-user command to set the maximum number of online Portal authentication users allowed on a device, you can run the portal user-alarm percentage command to set alarm thresholds for the Portal authentication user count percentage.

When the percentage of online Portal authentication users against the maximum number of users allowed by the device exceeds the upper alarm threshold, the device generates an alarm. When the percentage of online Portal authentication users against the maximum number of users allowed by the device reaches or falls below the lower alarm threshold later, the device generates a clear alarm.

Example

# Set the lower alarm threshold for the Portal authentication user count percentage to 30, and the upper alarm threshold for the Portal authentication user count percentage to 80.

<Huawei> system-view
[Huawei] portal user-alarm percentage 30 80
Related Topics

force-push

Function

The force-push command enables the forcible URL template or URL push function.

The undo force-push command disables the forcible URL template or URL push function.

By default, the forcible URL template or URL push function is disabled.

Format

force-push { url-template template-name | url url-address }

undo force-push

Parameters

Parameter

Description

Value

url-template template-name

Specifies the name of a pushed URL template.

It is a string of 1 to 31 case-sensitive characters without spaces.

url url-address

Specifies a pushed URL.

It is a string of 1 to 200 case-sensitive characters without spaces.

Views

AAA domain view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a user is successfully authenticated, the device forcibly redirect the user to a web page when receiving the HTTP packet from the user who accesses web pages for the first time. In addition to pushing advertisement pages, the device can obtain user terminal information through the HTTP packets sent by the users, and apply the information to other services. There are two ways to push web pages:
  1. URL: pushes the URL corresponding to the web page.
  2. URL template: pushes the URL template. A URL template must be created. The URL template contains the URL of the pushed web page and URL parameters.

Prerequisites

The URL configured using the url (URL template view) command in the URL template view cannot be a redirection URL; otherwise, the command does not take effect.

Precautions

If an application program that actively sends HTTP packets is installed on the user terminal, the terminal has sent the HTTP packet before the user accesses a web page. Therefore, the user is unaware of the web page push process.

Example

# Push the URL template abc in the domain huawei.

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] domain huawei
[Huawei-aaa-domain-huawei] force-push url-template abc

remark

Function

The remark command configures the user group priority.

The undo remark command cancels the user group priority configuration.

By default, no user group priority is configured.

Format

remark { 8021p 8021p-value | dscp dscp-value | exp exp-value | lp lp-value } *

undo remark { 8021p 8021p-value | dscp dscp-value | exp exp-value | lp lp-value } *

Parameters

Parameter

Description

Value

8021p 8021p-value

Specifies the priority for processing Layer 2 Ethernet packets.

The value is an integer that ranges from 0 to 7.

dscp dscp-value

Specifies the priority for processing IP packets.

The value is an integer that ranges from 0 to 63.

exp exp-value

Specifies the priority for processing MPLS packets.

The value is an integer that ranges from 0 to 7.

lp lp-value

Specifies the priority for processing internal packets in the device.

The value is an integer that ranges from 0 to 7.

Views

User group view

Default Level

2: Configuration level

Usage Guidelines

After the user group priority is configured, users in the user group inherit the priority. That is, different user packets have different priorities. In this way, the administrator can manage different types of users more flexibly.

Example

# Set the priority for processing IP packets to 3 in the user group abc.

<Huawei> system-view
[Huawei] user-group abc
[Huawei-user-group-abc] remark dscp 3
Related Topics

reset dot1x statistics

Function

The reset dot1x statistics command clears 802.1x authentication statistics.

Format

reset dot1x statistics [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Clears 802.1x authentication statistics on a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

If this parameter is not specified, 802.1x authentication statistics on the device are cleared.

-

Views

User view

Default Level

3: Management level

Usage Guidelines

The 802.1x authentication statistics contain the number of times that the authentication succeeded and failed on an interface and the number of sent and received packets.

The reset dot1x statistics command is used in the following scenarios:

  • Redeploy services. After the statistics are cleared, collect the 802.1x authentication statistics again, and run the display dot1x command to check whether the authentication function works properly and whether packets are correctly sent and received.
  • Rectify a fault. After the fault is rectified, run the reset dot1x statistics command to clear the statistics, collect the statistics on 802.1x authentication again, and then run the display dot1x command to verify the authentication result and check whether packets are correctly sent and received. If the authentication is successful and packets are correctly sent and received, the fault is rectified.

Example

# Clear 802.1x authentication statistics on Eth0/0/1.

<Huawei> reset dot1x statistics interface ethernet 0/0/1
Related Topics

reset mac-authen statistics

Function

The reset mac-authen statistics command clears MAC address authentication statistics.

Format

reset mac-authen statistics [ interface { interface-type interface-number1 [ to interface-number2 ] } &<1-10> ]

Parameters

Parameter

Description

Value

interface { interface-type interface-number1 [ to interface-number2 ] }

Clears MAC address authentication statistics on a specified interface.

  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

If this parameter is not specified, MAC address authentication statistics on the device are cleared.

-

Views

User view

Default Level

3: Management level

Usage Guidelines

The MAC address authentication statistics contain the number of times that the authentication is successful and failed on an interface and the number of sent and received packets.

The reset mac-authen statistics command is used in the following scenarios:

  • Re-deploy services. After the statistics are cleared, collect the MAC address authentication statistics again, and run the display mac-authen command to check whether the authentication function is normal.
  • Rectify a fault. After the fault is rectified, run the reset mac-authen statistics command to clear statistics, collect MAC address authentication statistics again, and run the display mac-authen command to check the authentication result. If the authentication is successful, the fault is rectified.

Example

# Clear MAC address authentication statistics on Eth0/0/1.

<Huawei> reset mac-authen statistics interface ethernet 0/0/1
Related Topics

server-detect

Function

The server-detect command enables the Portal server detection function.

The undo server-detect command disables the Portal server detection function.

By default, the Portal server detection function is disabled.

Format

server-detect { interval interval-period | max-times times | critical-num critical-num | action { log | trap | { permit-all | offline } } * } *

undo server-detect [ action { log | trap | { permit-all | offline } } * ]

Parameters

Parameter

Description

Value

interval interval-period

Specifies the detection interval of the Portal server.

The value is an integer that ranges from 30 to 65535, in seconds.

The default value is 60.

max-times times

Specifies the maximum number of times that the detection fails.

The value is an integer that ranges from 1 to 255.

The default value is 3.

critical-num critical-num

Specifies the minimum number of Portal servers in Up state.

The value is an integer that ranges from 0 to 4.

The default value is 0.

action

Specifies the action to be taken after the number of detection failures exceeds the maximum.

-

log

Indicates that the device sends a log after the number of detection failures exceeds the maximum.

-

trap

Indicates that the device sends a trap after the number of detection failures exceeds the maximum.

-

permit-all

Cancels Portal authentication on an interface after the number of detection failures exceeds the maximum.

-

offline

Force offline all the users who go online through the Portal server after the number of detection failures exceeds the maximum.

-

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

If the communication is interrupted because the network between the device and Portal server is faulty or the Portal server is faulty, new Portal authentication users cannot go online. This brings great inconvenience to users.

After the Portal server detection function is enabled in the Portal server template, the device detects all Portal servers configured in the Portal server template. If the number of times that the device fails to detect a Portal server exceeds the upper limit, the status of the Portal server is changed from Up to Down. If the number of Portal servers in Up state is less than or equal to the minimum number (specified by the critical-num parameter), the device performs the corresponding operation to allow the administrator to obtain the real-time Portal server status or ensure that the users have certain network access rights.

NOTE:

The detection interval of the Portal server multiplied by the maximum number of detection failures cannot be less than the keepalive heartbeat interval of the Portal server. It is recommended that the configured detection interval of the Portal server be greater than the keepalive heartbeat interval of the Portal server.

Example

# Enable the Portal server detection function in the Portal server template abc. Configure the detection interval to 100 seconds, the maximum number of detection failures to 5, and the minimum number of Portal servers in Up state to 3. Configure the device to send log information when the number of detection failures exceeds the upper limit.

<Huawei> system-view
[Huawei] web-auth-server abc
[Huawei-web-auth-server-abc] server-detect interval 100 max-times 5 critical-num 3 action log
Related Topics

server-ip (Portal server template view)

Function

The server-ip command configures an IP address for a Portal server.

The undo server-ip command deletes an IP address for a Portal server.

By default, no IP address is configured for a Portal server.

Format

server-ip server-ip-address &<1-4>

undo server-ip { server-ip-address | all }

Parameters

Parameter Description Value
server-ip-address Specifies an IP address of a Portal server. The value is in dotted decimal notation.
all Deletes all IP addresses of a Portal server. -

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After creating a Portal server template on the device using the web-auth-server (system view) command, configure parameters for the template.

Run the server-ip command to configure an IP address for the Portal server in the Portal server template view. When receiving a Portal authentication request packet from a user, the device sends a response packet to the Portal server with the configured IP address.
NOTE:

The device supports a maximum of 4 Portal server IP addresses in a Portal server template so that Portal authentication users can use multiple IP addresses to access the Portal authentication page. This setting makes the authentication process flexible.

Precautions

After the IP address corresponding to a Portal server is configured in the Portal server template, users are allowed to access the IP address.

If more than one IP address is assigned to the same Portal server, you must run the url (Portal server template view) command to assign a URL to the Portal server; otherwise, an error message is displayed on the device when the template is bound to the VLANIF interface. You can only assign one URL to a Portal server.

If the Portal server has been bound to the VLANIF interface, run the undo web-auth-server command to unbind the Portal server from the VLANIF interface before changing the Portal server IP address.

Example

# Set the Portal server IP address in the Portal server template huawei to 10.10.10.1.

<Huawei> system-view
[Huawei] web-auth-server huawei
[Huawei-web-auth-server-huawei] server-ip 10.10.10.1

shared-key (Portal server template view)

Function

The shared-key command configures the shared key that the device uses to exchange information with a Portal server.

The undo shared-key command restores the default setting.

By default, no shared key that the device uses to exchange information with a Portal server is configured.

Format

shared-key cipher key-string

undo shared-key

Parameters

Parameter Description Value
cipher

Displays a shared key in cipher text.

-
key-string

Specifies the shared key.

The value is a string of case-sensitive characters without spaces. It can be a string of 48 characters in cipher text, or a string of 1 to 16 characters in plain text.

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a shared key is configured using the shared-key command, the Portal packet exchanged between the device and Portal server carries an authenticator generated according to the shared key, and the authenticator is used to check whether the Portal packet at the receiver is correct. This effectively improves the information exchange security.

Precautions

To improve security, it is recommended that the password contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 6 characters.

Example

# Configure the shared key in the Portal server template huawei to huawei@123.

<Huawei> system-view
[Huawei] web-auth-server huawei
[Huawei-web-auth-server-huawei] shared-key cipher huawei@123

source-ip (Portal server template view)

Function

The source-ip command configures the source IP address for the device to communicate with a Portal server.

The undo source-ip command restores the default setting.

By default, no source IP address is configured for the device to communicate with a Portal server.

Format

source-ip ip-address

undo source-ip

Parameters

Parameter Description Value
ip-address Specifies the source IP address for communication with a Portal server. The value is in dotted decimal notation.

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To ensure normal communication between the device and Portal server, run the source-ip command to configure a source IP address on the device.

If the device is configured with a loopback IP address and a common IP address, the device can communicate with the Portal server only when the loopback IP address and common IP address are the same. The source-ip command configures a source IP address on the device in the web-auth-server view to allow communication between the device and a Portal server.

Precautions

Ensure that the configured source IP address is the device IP address. The source IP address cannot be all 0s, all 1s, class D address, class E address, or loopback address.

Example

# Set the source IP address for communication between the device and a Portal server to 192.168.1.100 in the Portal server template huawei.

<Huawei> system-view
[Huawei] web-auth-server huawei 
[Huawei-web-auth-server-huawei] source-ip 192.168.1.100

url (Portal server template view)

Function

The url command configures the URL for a Portal server.

The undo url command restores the default setting.

By default, no URL is configured for a Portal server.

Format

url url-string

undo url

Parameters

Parameter Description Value
url-string

Specifies the URL of a portal server. Portal authentication users can visit this URL to access the Portal server. Compared with an IP address, the URL is easy to remember.

The value is a string of 1 to 200 characters.

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the Portal server IP address is configured using the server-ip (Portal server template view) command, you can run the url command to configure a URL for the Portal server, and the URL is easy to remember. Portal authentication users can visit this URL to access the Portal server.

Precautions

  • A Portal server only has one URL.

  • If the Portal server has been bound to the VLANIF interface, run the undo web-auth-server command to unbind the Portal server from the VLANIF interface before changing the Portal server URL.

Example

# Set the URL of a Portal server to http://www.abc.com in the Portal server template huawei.

<Huawei> system-view
[Huawei] web-auth-server huawei
[Huawei-web-auth-server-huawei] url http://www.abc.com

url (URL template view)

Function

The url command configures the redirection URL or pushed URL.

The undo url command cancels the redirection URL or pushed URL.

By default, no redirection URL or pushed URL is configured.

Format

url [ push-only | redirect-only ] url-string [ ssid ssid ]

undo url [ push-only | redirect-only ] [ ssid ssid ]

Parameters

Parameter

Description

Value

url-string

Specifies the redirection URL or pushed URL.

It is a string of 1 to 200 case-sensitive characters without spaces.

ssid ssid

Specifies the SSID that users associate with.

This parameter is only valid for wireless access users.

The SSID that users associate with must be the same as that configured on the device; otherwise, the device cannot push URLs to users.

The SSID must already exist.

push-only

Specifies the URL as a pushed URL.

-

redirect-only

Specifies the URL as a redirection URL.

-

Views

URL template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a URL template is created using the url-template name command, you can run this command to configure the redirection URL or pushed URL. When a user without network access right connects to the network, the Portal authentication device redirects the user to the specified URL for authentication.The difference between redirection URL and pushed URL is as follows:

  • Redirection URL: When a user without network access right connects to the network, the Portal authentication device redirects the user to the redirection URL for authentication.
  • Pushed URL: After an authenticated user accesses the network through web for the first time, the access device pushes the web page corresponding to the URL to the user. The web access request from the user is redirected to the specified URL, and then the user is allowed to access network resources.

Precautions

If the push-only and redirect-only parameters are not specified, the configured URL is used as both redirection URL and pushed URL. You can configure pushed URL using the force-push command, or use the url-template (Portal server template view) command to bind a URL template to the Portal server template to configure redirection URL.

Example

# Set the redirection URL to http://10.1.1.1.

<Huawei> system-view
[Huawei] url-template name huawei
[Huawei-url-template-huawei] url http://10.1.1.1

url-parameter

Function

The url-parameter command sets the parameters in URL.

The undo url-parameter command deletes the parameters in URL.

By default, a URL does not carry parameters.

Format

url-parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip ap-ip-value | ap-mac ap-mac-value | redirect-url redirect-url-value | ssid ssid-value | sysname sysname-value | user-ipaddress user-ipaddress-value | user-mac user-mac-value | user-vlan user-vlan-value } *

undo url-parameter

Parameters

Parameter

Description

Value

ac-ip ac-ip-value

Specifies the IP address carried in the URL and sets the parameter name.

This parameter is only valid for wireless access users.

The value is a string of 1 to 16 case-sensitive characters without spaces.

ac-mac ac-mac-value

Specifies the MAC address carried in the URL and sets the parameter name.

This parameter is only valid for wireless access users.

The value is a string of 1 to 16 case-sensitive characters without spaces.

ap-ip ap-ip-value

Specifies the AP IP address carried in the URL and sets the parameter name.

This parameter is only valid for wireless access users.

The value is a string of 1 to 16 case-sensitive characters without spaces.

ap-mac ap-mac-value

Specifies the AP MAC address carried in the URL and sets the parameter name.

This parameter is only valid for wireless access users.

The value is a string of 1 to 16 case-sensitive characters without spaces.

redirect-url redirect-url-value

Specifies the original URL that a user accesses carried in the URL and sets the parameter name.

The value is a string of 1 to 16 case-sensitive characters without spaces.

ssid ssid-value

Specifies the SSID associated that users associate with carried in the URL and sets the parameter name.

This parameter is only valid for wireless access users.

The value is a string of 1 to 16 case-sensitive characters without spaces.

user-ipaddress user-ipaddress-value

Specifies the user IP address carried in the URL and sets the parameter name.

The value is a string of 1 to 16 case-sensitive characters without spaces.

sysname sysname-value

Specifies the device system name carried in the URL and sets the parameter name.

The value is a string of 1 to 16 case-sensitive characters without spaces.

user-mac user-mac-value

Specifies the user MAC address carried in the URL and sets the parameter name.

The value is a string of 1 to 16 case-sensitive characters without spaces.

user-vlan user-vlan-value

Specifies the user VLAN carried in the URL and sets the parameter name.

The value is a string of 1 to 16 case-sensitive characters without spaces.

Views

URL template view

Default Level

2: Configuration level

Usage Guidelines

After a URL template is created using the url-template name command and URL is configured using the url (URL template view) command, you can use the url-parameter command to set the parameters in the URL. When a user accesses the Portal server according to the URL, the Portal server obtains user terminal information through the parameters in the URL. The Portal server then provides the corresponding web authentication page for the user according to user terminal information.

In addition, when users are pushed to a website rather than the Portal server according to the URL, the website provides the different web pages for the users according to user terminal information carried in the URL.

Example

# Set the user MAC address and access device system name in the URL.

<Huawei> system-view
[Huawei] url-template name huawei
[Huawei-url-template-huawei] url-parameter user-mac usermac sysname huawei

url-parameter mac-address format

Function

The url-parameter mac-address format command configures the MAC address format in URL.

The undo url-parameter mac-address format command restores the default MAC address format in URL.

By default, the MAC address format in URL is XXXXXXXXXXXX.

Format

url-parameter mac-address format delimiter delimiter { normal | compact }

undo url-parameter mac-address format

Parameters

Parameter

Description

Value

delimiter delimiter

Specifies the delimiter in MAC address.

The value is one case-sensitive character without spaces.

normal

Sets the MAC address format to XX-XX-XX-XX-XX-XX.

-

compact

Sets the MAC address format to XXXX-XXXX-XXXX.

-

Views

URL template view

Default Level

2: Configuration level

Usage Guidelines

Portal servers or websites may require different MAC address formats. You can run the url-parameter mac-address format command to set MAC address formats in URL to meet the requirements of Portal servers.

Example

# Set the delimiter to - and format to XXXX-XXXX-XXXX.

<Huawei> system-view
[Huawei] url-template name huawei
[Huawei-url-template-huawei] url-parameter mac-address format delimiter - compact

url-template name

Function

The url-template name command creates a new URL template or enter an existing URL template view.

The undo url-template name command deletes a URL template.

By default, no URL template exists on the device.

Format

url-template name template-name

undo url-template name template-name

Parameters

Parameter

Description

Value

template-name

Specifies the name of a URL template.

The value is a string of 1 to 31 case-sensitive characters. It cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %. The value cannot be - or --.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After a Portal authentication server template is created using the web-auth-server (system view) command, you can bind a URL template to the Portal authentication server template. The URL template contains the redirection URL and redirection URL parameters.

The url-template name command creates a new URL template or enter an existing URL template view.

Example

# Create a URL template named huawei and enter the template view.

<Huawei> system-view
[Huawei] url-template name huawei

url-template (Portal server template view)

Function

The url-template command binds a URL template to a Portal server template.

The undo url-template command unbinds a URL template from a Portal server template.

By default, no URL template is bound to a Portal server template.

Format

url-template url-template

undo url-template

Parameters

Parameter

Description

Value

url-template

Specifies the name of a URL template.

The value must be an existing URL template name.

ciphered-parameter-name ciphered-parameter-name

Specifies the name of the encrypted URL template parameter.

The value is a string of 1 to 16.

iv-parameter-name iv-parameter-name

Specifies the encryption vector name of the URL template parameter.

The value is a string of 1 to 16.

key cipher key-string

Specifies the shared key for encrypting the URL template parameter.

The value is a string of 1-16 plain-text characters or 32 cipher-text characters.

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the parameters of a URL template are configured, the URL template must be bound to a Portal authentication server template so that users can be authenticated on the Portal authentication server corresponding to the redirection URL.

Prerequisites

A URL template has been created using the url-template name command.

Precautions

If a URL template is bound to the Portal authentication server template and the url (Portal server template view) command is executed to configure the redirection URL corresponding to the Portal authentication server, only the parameters in the URL template take effect.

Example

# Bind the URL template abc to the Portal authentication server template.

<Huawei> system-view
[Huawei] url-template name abc
[Huawei-url-template-abc] quit
[Huawei] web-auth-server huawei
[Huawei-web-auth-server-huawei] url-template abc

url-template

Function

The url-template command sets the interval for pushing web pages.

The undo url-template command restores the default interval for pushing web pages.

By default, the interval for pushing web pages is 20 minutes.

NOTE:

Only the AR510 series and AR503GW-LcM7 support this function.

Format

url-template template-name [ interval time ]

undo url-template

Parameters

Parameter Description Value
template-name Specifies the name of a URL template. The value is a string of 1 to 31 case-sensitive characters. It cannot be - or -- and cannot contain spaces or the following symbols: / \ : * ? " < > | @ ' %.
interval time Specifies the interval for pushing web pages. The value is an integer that ranges from 1 to 60, in minutes. The default value is 20.

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a user requests to access the Internet, the router preferentially uses the MAC address for user authentication and allows the access of the user only after the user is authenticated. After the interval for pushing web pages is configured, a user who is accessing the Internet is forcibly redirected to the specified web page at a fixed interval. The user must manually close the web page to resume Internet access. This function can be used for advertisement. The url-template command sets the interval for pushing web pages.

Prerequisites

The web-authentication first-mac command must be run to enable MAC address-prioritized Portal authentication and the web-auth-server (interface view) must be run to bind a Portal server profile to an interface.

Example

# Set the interval for pushing web pages to 30 minutes.

<Huawei> system-view
[Huawei] interface wlan-bss 0
[Huawei-Wlan-Bss0] web-authentication first-mac
[Huawei] quit
[Huawei] interface vlanif 99
[Huawei-Vlanif99] web-auth-server huawei direct
[Huawei-Vlanif99] url-template url1 interval 30
Info: Set force push enable.

user-group

Function

The user-group command creates a user group or displays the user group view.

The undo user-group command deletes a user group.

By default, no user group is configured.

Format

user-group group-name

undo user-group group-name

Parameters

Parameter Description Value
group-name Specifies the name of a user group. The value is a string of 1 to 64 case-sensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In practical NAC applications, there are many access users and a large number of ACL rules need to be configured for each user. However, the number of user types is limited.

You can run the user-group command to create user groups on the device and associate each user group to a group of ACL rules (for details, see acl-id (user group view)). In this way, users in the same group share a group of ACL rules. The limited ACL resources can support a large number of access users.

Precautions
  • The device supports a maximum of 16 user groups.
  • When you create a user group , ensure that the user group name is different from the number of an existing ACL. You can run the display acl all command to view the configuration of all ACL rules on the device.
  • If you want to delete the user group when the ACL bound to the user takes effect, run the cut access-user user-group group-name command to disconnect all users bound to the user group.
  • The priority of the user group authorization information delivered by the authentication server is higher than that of the user group authorization information applied in the AAA domain. If the user group authorization information delivered by the authentication server cannot take effect, the user group authorization information applied in the AAA domain also cannot be used. For example, if only user group B is configured on the device and the group authorization information is applied in the AAA domain when the authentication server delivers authorization information about user group A, the authorization information about user groups A and B both cannot take effect. To make the user group authorization information delivered by the authentication server take effect, ensure that this user group is configured on the device. To make the user group authorization information applied in the AAA domain take effect, ensure that the authentication server does not deliver any user group attribute.

Example

# Create a user group test1.

<Huawei> system-view
[Huawei] user-group test1

user-isolated

Function

The user-isolated command configures inter-group or intra-group isolation in a user group.

The undo user-isolated command disables inter-group or intra-group isolation in a user group.

By default, inter-group or intra-group isolation is not configured in a user group.

Format

user-isolated { inter-group | inner-group }*

undo user-isolated { inter-group | inner-group }*

Parameters

Item

Description

Value

inter-group

Configures inter-group isolation.

-

inner-group

Configures intra-group isolation.

-

Views

User group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After inter-group isolation is configured in a user group, users in the user group cannot communicate with users in other user groups.

After intra-group isolation is configured in a user group, users in the user group cannot exchange Layer 2 or Layer 3 packets with each other.

Precautions

After authorized users go online, the RADIUS server dynamically delivers user group information. In this situation, the inter-group or intra-group isolation configuration cannot be modified or deleted.

Example

# Configure intra-group isolation in user group general-group.

<Huawei> system-view
[Huawei] user-group general-group
[Huawei-user-group-general-group] user-isolated inter-group inner-group
Related Topics

user-sync

Function

The user-sync command enables user information synchronization.

The undo user-sync command disables user information synchronization.

By default, user information synchronization is disabled.

Format

user-sync [ interval interval-period | max-times times ] *

undo user-sync

Parameters

Parameter Description Value
interval interval-period

Specifies the user information synchronization interval.

The value is an integer that ranges from 30 to 65535, in seconds. The default value is 300.
max-times times

Specifies the maximum number of user information synchronization failures.

The value is an integer that ranges from 2 to 255. The default value is 3.

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If communication is interrupted because the network between the device and Portal server is disconnected or the Portal server is faulty, online Portal authentication users cannot go offline. Therefore, user information on the device and on the Portal server may be inconsistent and accounting may be inaccurate.

The user-sync command enables user information synchronization so that user information on the device and Portal server is synchronized at intervals to ensure user information consistency.

NOTE:

During information synchronization, the device does not disconnect the user immediately after detecting that the device has certain user information while the server does not have such information. Instead, the device disconnects the user when the maximum number of user information synchronization failures is reached.

Precautions

If users go online during the keepalive interval of the Portal server, the Portal server does not have their entries. After the Portal server goes Up and starts synchronizing user information, the device does not disconnect these users even if synchronization fails. The device retails these users until next time these users go online and performs Portal authentication, ensuring good user experience.

The value of interval-period*times configured on the device must be greater than the interval for the Portal server to send synchronization packets. Otherwise, the device forces users offline when it cannot receive any synchronization packet from the Portal server after the maximum failure number is reached.

Example

# Enable user information synchronization in the Portal server template abc, set the interval for user information synchronization to 100s, and set the maximum number of synchronization failures to 5.

<Huawei> system-view
[Huawei] web-auth-server abc
[Huawei-web-auth-server-abc] user-sync interval 100 max-times 5

user-vlan

Function

The user-vlan command configures a user group VLAN.

The undo user-vlan restores the default setting.

By default, no user group VLAN is configured.

Format

user-vlan vlan-id

undo user-vlan

Parameters

Parameter

Description

Value

vlan-id

Specifies the ID of a user group VLAN.

The value is an integer that ranges from 1 to 4094.

Views

User group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a user group is created using the user-group command, you can run the user-vlan command to configure a user group VLAN, so that users in different user groups have different network access permissions. When a user in a user group goes online, the user is added to the user group VLAN to obtain the network access permission of this user group.

Prerequisites

The user group VLAN has been created using the vlan command.

Precautions

  • If a user uses Portal authentication or combined authentication (including Portal authentication), the device cannot authorize a VLAN to the user.

  • The user-vlan command does not take effect for the users who are already online.

Example

# Set the VLAN of the user group abc to 10.

<Huawei> system-view
[Huawei] user-group abc
[Huawei-user-group-abc] user-vlan 10
Related Topics

vpn-instance (Portal server template view)

Function

The vpn-instance command configures a VPN instance used for communication between the device and Portal server.

The undo vpn-instance command restores the default setting.

By default, no VPN instance is configured for communication between the device and Portal server.

Format

vpn-instance vpn-instance-name

undo vpn-instance

Parameters

Parameter

Description

Value

vpn-instance-name

Specifies the name of a VPN instance.

The value is a string of 1 to 31 case-sensitive characters without spaces.

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A VPN implements interconnection within the same department and between different departments in an enterprise. To enable the Portal authentication service in the VPN, run the vpn-instance command to bind a Portal server template to a VPN instance.

Prerequisites

A VPN instance has been created using the ip vpn-instance command.

Precautions

The VPN instance bound to the Portal server template must be the same as that bound to the Portal server; otherwise, the device cannot perform Portal authentication for access users.

The users in VPN instances bound to different Portal server templates cannot use the same IP addresses because users with the same IP addresses cannot go online or offline.

Example

# Bind the Portal server template abc to the VPN instance huawei.

<Huawei> system-view
[Huawei] web-auth-server abc
[Huawei-web-auth-server-abc] vpn-instance huawei
Related Topics

web-authentication first-mac

Function

The web-authentication first-mac command enables the function that prefers MAC addresses as accounts for Portal authentication.

The undo web-authentication first-mac command disables the function that prefers MAC addresses as accounts for Portal authentication.

By default, MAC addresses are not preferred as accounts for Portal authentication.

Format

web-authentication first-mac

undo web-authentication first-mac

Parameters

None

Views

WLAN-ESS interface view

Default Level

2: Configuration level

Usage Guidelines

After the function that prefers MAC addresses as accounts for Portal authentication is enabled, users are authenticated by the Portal server by using their MAC addresses as accounts. When this Portal authentication fails, the Portal server displays the authentication page, and users enter Portal accounts and passwords for Portal authentication again.

Example

# Enable the function that prefers MAC addresses as accounts for Portal authentication.

<Huawei> system-view
[Huawei] interface wlan-ess 1
[Huawei-Wlan-Ess1] web-authentication first-mac

web-auth-server (interface view)

Function

The web-auth-server command binds a Portal server template to an interface.

The undo web-auth-server command unbinds a Portal server template from an interface.

By default, no Portal server template is bound to an interface.

Format

web-auth-server server-name [ bak-server-name ] { direct | layer3 } (This command does not support the parameter direct and the parameter bak-server-name in the WAN interface view)

undo web-auth-server [ server-name [ bak-server-name ] { direct | layer3 } ] (This command does not support the parameter direct and the parameter bak-server-name in the WAN interface view)

Parameters

Parameter Description Value
server-name Specifies the name of the Portal server template.

The value must be an existing Portal server template name.

bak-server-name

Specifies the name of the secondary Portal server template.

NOTE:

The name of the secondary Portal server template can be configured to the command-line keywords direct and layer3.

The value must be an existing Portal server template name.

direct Indicates Layer 2 authentication. -
layer3 Indicates Layer 3 authentication. -

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A configured Portal server template must be bound to the interface. In this way, the users connected to this interface can be authenticated by the Portal server.

When the Portal server template is bound to the interface using the web-auth-server command and a user attempts to access charged network resources, the user is forcibly redirected to the configured Portal authentication page for Portal authentication.

After the primary and secondary Portal server templates are configured, the users who send HTTP requests are redirected to the network access page provided by the secondary Portal server when the primary Portal server is faulty or cannot be accessed. This meets the users' network access requirements. This function can take effect only when the primary Portal server detection function is enabled using the server-detect command and heartbeat detection is enabled on the Portal server.

NOTE:

The command cannot be run on Layer 2 interfaces.

If you add an Eth-Trunk interface to a VLAN, Portal authentication cannot be performed for users connected to the Eth-Trunk interface after a Portal server template is bound to this VLANIF interface.

Portal authentication modes are as follows:
  • direct: When there is no Layer 3 forwarding device between the user and device, the device can learn the user's MAC address. The device identifies the user using the IP address and MAC address.
  • layer3: When there are Layer 3 forwarding devices between the user and device, the device cannot learn the user's MAC address. The identifies the user using the IP address uniquely.

Prerequisites

A Portal server template has been created using the web-auth-server (system view) command and an IP address has been configured for the Portal server using the server-ip (Portal server template view) command.

Precautions

  • For the secondary Portal server template, you only need to run the server-ip (Portal server template view) and url (Portal server template view) commands to configure the Portal server IP address and URL.
  • When configuring the secondary Portal server, you need to run the portal free-rule command to add the IP address of the secondary Portal server to the authentication-free rule.
  • You can bind only one Portal server template to an interface. To modify a Portal server template that has been bound to an interface, remove the template from the interface, modify the template, and bind the modified template to the interface again.
  • For wireless users, the Portal server template can be bound to only the VLANIF interface.

  • This command does not take effect on the VLANIF interface corresponding to the super VLAN.

Example

# Bind the Portal server template Server1 to VLANIF10, and set the authentication mode to Layer 3 authentication.

<Huawei> system-view
[Huawei] vlan batch 10
[Huawei] web-auth-server Server1
[Huawei-web-auth-server-Server1] server-ip 10.10.1.1
[Huawei-web-auth-server-Server1] quit
[Huawei] interface vlanif 10
[Huawei-Vlanif10] web-auth-server Server1 layer3

web-auth-server listening-port

Function

The web-auth-server listening-port command sets the number of the port through which a device listens on Portal protocol packets.

The undo web-auth-server listening-port command restores the default listening port.

By default, the device uses port 2000 to listen on Portal protocol packets.

Format

web-auth-server listening-port port-number

undo web-auth-server listening-port

Parameters

Parameter Description Value
port-number Specifies the number of the listening port. The value is an integer that ranges from 1024 to 55535.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the device exchanges user authentication information with the Portal server using the Portal protocol, you must configure the listening port on the device to receive Portal packets.

You can run the web-auth-server listening-port command to set the number of the port through which the device listens on Portal packets. The port number must be the same as the destination port number in Portal packets sent by the Portal server and must be unique.

NOTE:
If a specified port is occupied by another service or is a reserved port, the configuration fails. Ensure that the specified port is available when running this command.

Example

# Set the number of the port through which a device listens on Portal protocol packets to 3000.

<Huawei> system-view
[Huawei] web-auth-server listening-port 3000

web-auth-server reply-message

Function

The web-auth-server reply-message command enables the device to transparently transmit users' authentication responses sent by the authentication server to the Portal server.

The undo web-auth-server reply-message command disables the device from transparently transmitting users' authentication responses sent by the authentication server to the Portal server.

By default, the device transparently transmits users' authentication responses sent by the authentication server to the Portal server.

Format

web-auth-server reply-message

undo web-auth-server reply-message

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The AAA server requires that the authentication messages sent to the Portal server contain the authentication reply; therefore, the web-auth-server reply-message command is required. In certain situations, the authentication messages are not required to carry the reply. In this case, run the undo web-auth-server reply-message command.

By default, the device directly forwards the authentication result message from the RADIUS server to the Portal server without processing. This is called transparent transmission.

Example

# Disable the device from transparently transmitting users' authentication responses to the Portal server.

<Huawei> system-view
[Huawei] undo web-auth-server reply-message

web-auth-server (system view)

Function

The web-auth-server command creates a Portal server template or displays the Portal server template view.

The undo web-auth-server command deletes a Portal server template.

By default, no Portal server template is created.

Format

web-auth-server server-name

undo web-auth-server server-name

Parameters

Parameter

Description

Value

server-name

Specifies the name of a Portal server.

The value is a string of 1 to 31 case-sensitive characters without spaces.

NOTE:

server-name cannot be set to listening-port, reply-message, version, or the first character or several leftmost characters of these character strings.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an unauthenticated Portal user goes online, the device forces the user to log in to a specified website (also called the Portal website). The user can access resources in the Portal website for free. When the user attempts to access charged network resources, the user must pass authentication on the Portal website. The specific process is as follows:

  1. The unauthorized user opens Internet Explorer and enters a URL in the address box. When receiving the HTTP request sent by the user, the device redirects it to the Portal authentication page of the Portal server.
  2. The user enters user information on the authentication page or in the authentication dialog box, and the Portal server forwards the user information to the device.
  3. After receiving the user information from the Portal server, the device sends the information to the authentication server for authentication and accounting.
  4. After the user is authenticated, the device allows the user to access the Internet if no security policy is enforced.

After a Portal server template is created on the device by using the web-auth-server command, run other commands to create a route from the device to the Portal server.

Follow-up Procedure

Run the following commands to configure related attributes of the Portal server template:

Precautions

You are advised to back up the Portal server data to prevent authentication failure caused by the Portal server fault.

A maximum of eight Portal server templates can be configured on the device.

If you want to run the undo web-auth-server command to delete a Portal server template, ensure that the Portal server template is not bound to the VLANIF interface.

Example

# Create the Portal server template huawei.

<Huawei> system-view
[Huawei] web-auth-server huawei

web-auth-server version

Function

The web-auth-server version command sets the Portal protocol version supported by the device.

By default, the device supports both the versions V1.0 and V2.0.

Format

web-auth-server version v2 [ v1 ]

Parameters

Parameter Description Value
v2 Indicates that the device supports the Portal protocol version V2.0. The major version currently used is V2.0. -
v1 Indicates that the device supports the Portal protocol version V1.0. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Currently, the Portal protocol has two versions: V1.0 and V2.0. The device and Portal server must use the Portal protocol of the same version to ensure normal communication. You can run the web-auth-server version command to set the Portal protocol version supported by the device.
NOTE:

The version V2.0 is widely used currently.

To ensure smooth communication, the device supports both versions by default.

Example

# Configure the device to use only the Portal protocol V2.0.

<Huawei> system-view
[Huawei] web-auth-server version v2

web-redirection disable (Portal server template view)

Function

The web-redirection disable command disables the Portal authentication redirection function.

The undo web-redirection disable command enables the Portal authentication redirection function.

By default, the Portal authentication redirection function is enabled.

Format

web-redirection disable

undo web-redirection disable

Parameters

None

Views

Portal server template view

Default Level

2: Configuration level

Usage Guidelines

The device redirects all unauthenticated users to the Portal authentication page when the users send access requests to external networks. For example, when the user needs to enter the URL of the authentication page manually, the web-redirection disable command can be executed so that unauthorized users are not forcibly redirected to the Portal authentication page.
NOTE:

If the Portal server template has been bound to the VLANIF interface, this command cannot be executed.

After this command is executed, if multiple server IP addresses are configured in the Portal server template and no URL is configured, the device does not display error information when the Portal server template is bound to the VLANIF interface.

Example

# Disable the Portal authentication redirection function.

<Huawei> system-view
[Huawei] web-auth-server nac
[Huawei-web-auth-server-nac] web-redirection disable

web-service aaa server

Function

The web-service aaa server command configures a URL for the authentication and accounting server and enables the function of receiving user authorization information.

The undo web-service aaa server command deletes the URL configured for the authentication and accounting server and disables the function of receiving user authorization information.

By default, no URL is configured for the authentication and accounting server, and the function of receiving user authorization information is disabled.

NOTE:

Only the AR510 series, AR509GW-L-D-H, AR503GW-LM7, AR503GW-LcM7 that can work as a WLAN Fat AP support this command.

Format

web-service aaa server url authorize-enable

undo web-service aaa server

Parameters

Parameter

Description

Value

url

Specifies the URL of the authentication and accounting server.

The value is a string of 1 to 128 characters in the format of [http://]host[:port].

  • host: indicates an IP address or a domain name.
  • port: indicates a port number. The default value is 80.

    You need to add the port number to the IP address or domain name only when the default port number is changed.

NOTE:

If the value of host is in the domain name format, configure a DNS table before using this command; otherwise, the IP address matching the domain name cannot be obtained. If the DNS table is modified after this command is executed, run this command again.

authorize-enable

The function of receiving user authorization information is enabled.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Users connecting to the device through Wi-Fi can access the Internet only after being authenticated by the authentication and accounting server. You can run this command to configure a URL for the authentication and accounting server, and enable the function of receiving user authorization information. User authorization information includes online duration, traffic usage, and user bandwidth. When a user accesses the Internet, the device periodically sends accounting packets to the authentication and accounting server. The server performs accounting for the users based on user traffic statistics. When the online duration or traffic usage exceeds authorization, the device forcibly disconnects the user and sends the disconnection message of the user to the authentication and accounting server.

Example

# Configure a URL for the authentication and accounting server and enable the function of receiving user authorization information.

<Huawei> system-view
[Huawei] web-service aaa server http://10.1.1.1:81 authorize-enable

web-service access auto-logon

Function

The web-service access auto-logon command enables the device to automatically send an authentication request to the authentication server after a user associates with the device.

The undo web-service access auto-logon command disables the device from automatically sending an authentication request to the authentication server after a user associates with the device.

By default, the device does not automatically send an authentication request to the authentication server.

NOTE:

Only the AR510 series, AR509GW-L-D-H, AR503GW-LM7, AR503GW-LcM7 that can work as a WLAN Fat AP support this command.

Format

web-service access auto-logon

undo web-service access auto-logon

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Users connecting to the device through Wi-Fi can access the Internet only after being authenticated by the authentication and accounting server. To improve user experience, you can run this command to enable the device to automatically send an authentication request to the authentication server after a user associates with the device. The user can access the Internet after being authenticated by the authentication server.

Example

# Configure the device to automatically send an authentication request to the authentication server after a user associates with the device.

<Huawei> system-view
[Huawei] web-service access auto-logon

web-service access enable

Function

The web-service access enable command enables authentication and accounting functions on a WLAN-BSS interface.

The undo web-service access enable command disables authentication and accounting functions on a WLAN-BSS interface.

By default, authentication and accounting functions are disabled on a WLAN-BSS interface.

NOTE:

Only the AR510 series, AR509GW-L-D-H, AR503GW-LM7, AR503GW-LcM7 that can work as a WLAN Fat AP support this command.

Format

web-service access enable

undo web-service access enable

Parameters

None

Views

WLAN-BSS interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Users connecting to the device through Wi-Fi can access the Internet only after being authenticated. After authentication and accounting functions are enabled on a WLAN-BSS interface using this command, the device provides authentication and accounting functions to users.

Prerequisites

MAC address-prioritized Portal authentication has been enabled using the web-authentication first-mac command.

Example

# Enable authentication and accounting functions on a WLAN-BSS interface.

<Huawei> system-view
[Huawei] interface wlan-bss 0
[Huawei-Wlan-Bss0] web-authentication first-mac
[Huawei-Wlan-Bss0] web-service access enable

web-service access listening-port

Function

The web-service access listening-port command configures the listening port number for user login requests.

The undo web-service access listening-port command restores the default setting.

By default, the listening port number for user login requests is 2000.

NOTE:

Only the AR510 series, AR509GW-L-D-H, AR503GW-LM7, AR503GW-LcM7 that can work as a WLAN Fat AP support this command.

Format

web-service access listening-port port-number

undo web-service access listening-port

Parameters

Parameter

Description

Value

port-number

Specifies the listening port number for user login requests.

The value is an integer that ranges from 1024 to 55535.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Users use mobile terminals to associate with the device through Wi-Fi and send login requests to the device. After receiving the login requests, the device sends the login requests to the accounting and authentication server for identity authentication. By default, the listening port number for user login requests is 2000. To avoid conflict with other service port numbers, you can run this command to change the port number.

Example

# Set the listening port number for user login requests to 3000.

<Huawei> system-view
[Huawei] web-service access listening-port 3000

web-service accounting enable

Function

The web-service accounting enable command enables the device to send accounting packets to the authentication and accounting server.

The undo web-service accounting enable command disables the device from sending accounting packets to the authentication and accounting server.

By default, the device does not send accounting packets to the authentication and accounting server.

NOTE:

Only the AR510 series, AR509GW-L-D-H, AR503GW-LM7, AR503GW-LcM7 that can work as a WLAN Fat AP support this command.

Format

web-service accounting enable

undo web-service accounting enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After a user connects to the device through Wi-Fi, is authenticated by the authentication and accounting server, and obtains rights, the user can access the websites outside the whitelist. This command enables the device to send accounting request packets to the authentication and accounting server. When the authorized online traffic volume and duration of an online user are not exceeded, the device periodically sends accounting packets to the authentication and accounting server. The server performs accounting on the user based on the traffic usage when the user stays online.

Example

# Enable the device to send accounting packets to the authentication and accounting server.

<Huawei> system-view
[Huawei] web-service accounting enable

web-service accounting interval

Function

The web-service accounting interval command configures the interval at which the device sends accounting packets to the authentication and accounting server.

The undo web-service accounting interval command restores the default interval at which the device sends accounting packets to the authentication and accounting server.

By default, the device sends accounting packets to the authentication and accounting server at an interval of 30 seconds.

NOTE:

Only the AR510 series, AR509GW-L-D-H, AR503GW-LM7, AR503GW-LcM7 that can work as a WLAN Fat AP support this command.

Format

web-service accounting interval interval

undo web-service accounting interval

Parameters

Parameter

Description

Value

interval

Specifies the interval at which the device sends accounting packets to the authentication and accounting server.

The value is an integer that ranges from 5 to 60, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Users connecting to the device through Wi-Fi can access the Internet only after being authenticated by the authentication and accounting server. You can run this command to configure the interval at which the device sends accounting packets to the authentication and accounting server.

Example

# Set the interval at which the device sends accounting packets to the authentication and accounting server to 10 seconds.

<Huawei> system-view
[Huawei] web-service accounting interval 10
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 35456

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next