No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R010C00 Configuration Guide - User Access and Authentication

This document describes the working mechanisms, configuration procedures, and configuration examples of User Access and Authentication features, such as AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Portal Access Profile (for a Built-in Portal Server)

Configuring a Portal Access Profile (for a Built-in Portal Server)

The device supports external and built-in Portal servers. An external Portal server has independent hardware. A built-in Portal server is an embedded entity on an access device, that is, the access device functions as the Portal server. After receiving a Portal authentication request from a client, the Portal server initiates a Portal authentication request carrying the user name and password to the access device through the Portal protocol.

After configuring the Portal server, you must bind the Portal server profile to a Portal access profile. When users who use the Portal access profile attempt to access charged network resources, they are forcibly redirected to the authentication page of the Portal server for Portal authentication.

This section describes how to configure the Portal server and Portal access profile when using a built-in Portal server.

Configuring a Built-in Portal Server

Context

Compared with an external Portal server, a built-in Portal server is easy to use, cost-effective, and easy to maintain. When configuring the built-in Portal server function, you need to specify the IP address of the built-in Portal server and enable the built-in Portal server function globally.

NOTE:

If the time on a client differs from that on the built-in Portal server, the client cannot pass authentication or cannot go offline after passing authentication. Therefore, ensure that the time zone and time on the device are correct when configuring the built-in Portal server function.

VPN users do not support the built-in Portal server function.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal local-server ip ip-address

    An IP address is configured for the built-in Portal server.

    By default, no IP address is configured for the built-in Portal server.

    NOTE:

    The IP address of the built-in Portal server is the IP address of a Layer 3 interface that has a reachable route to the user.

  3. Run portal local-server https ssl-policy policy-name [ port port-num ]

    The built-in Portal server function is enabled globally.

    By default, the built-in Portal server function is disabled globally.

    NOTE:

    Ensure that an SSL policy exists and the digital certificate has been successfully loaded.

  4. (Optional) Run portal local-server authentication-method { chap | pap }

    The authentication mode of the built-in Portal server is configured.

    By default, the CHAP authentication mode is used.

(Optional) Customizing the Page of the Built-in Portal Server

Context

When a built-in Portal server is used for authentication, the device as the built-in Portal server forcibly pushes the login page to users. The users can enter the user name and password on the login page for authentication.

The device supports login page customization to meet various user requirements. For example, you can load a logo on the login page, change the background image or color of the login page, and push an advertisement page.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Customize the login page of the built-in Portal server.

    • Run portal local-server logo load logo-file

      A logo is loaded on the login page of the built-in Portal server.

      By default, no logo is loaded on the login page of the built-in Portal server.

    • Run portal local-server ad-image load ad-image-file

      An advertisement page file is loaded on the login page of the built-in Portal server.

      By default, no advertisement page file is loaded on the login page of the built-in Portal server.

    • Run portal local-server page-text load string

      A text or hypertext file is loaded on the login page of the built-in Portal server.

      By default, no text or hypertext file is loaded on the login page of the built-in Portal server.

    • Run portal local-server policy-text load string

      A disclaimer page file is loaded on the login page of the built-in Portal server.

      By default, no disclaimer page file is loaded on the login page of the built-in Portal server.

    • Run portal local-server background-image load { background-image-file | default-image1 }

      A background image is loaded on the login page of the built-in Portal server.

      By default, two background images default-image0 and default-image1 exist on the device, and the built-in Portal server uses the background image default-image0.

    • Run portal local-server background-color background-color-value

      The background color is configured for the login page of the built-in Portal server.

      By default, no background color is configured for the login page of the built-in Portal server.

(Optional) Configuring the Heartbeat Detection Function for the Built-in Portal Server

Context

When a user closes the browser or an exception occurs, the device can detect the user's online state to determine whether to make the user go offline. The administrator can configure the heartbeat detection function of the built-in Portal server. If the device does not receive a heartbeat packet from the client within a specified period, the user is specified to go offline. The heartbeat detection mode of the built-in Portal server can be either of the following modes:
  • Forcible detection mode: This mode is valid for all users. If the device does not receive a heartbeat packet from a user within a specified period, the device specifies the user to go offline.
  • Automatic detection mode: The device checks whether the client browser supports the heartbeat program. If yes, the forcible detection mode is used for the user; if no, the device does not detect the user. You are advised to configure this mode to prevent users from going offline because the browser does not support the heartbeat program.
    NOTE:

    Currently, the heartbeat program is supported by Internet Explorer 8, FireFox 3.5.2, Chrome 28.0.1500.72, and Opera 12.00 on Windows 7. A Java program must be installed and configured on the operating system.

    Browsers using Java1.7 and later versions do not support the heartbeat program.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal local-server keep-alive interval interval-value [ auto ]

    The heartbeat detection function is enabled for the built-in Portal server.

    By default, the heartbeat detection function is disabled for the built-in Portal server.

(Optional) Configuring the Session Timeout Interval for Users Authenticated Through the Built-in Portal Server

Context

When built-in Portal authentication is used for users and the device functions as a built-in Portal server, you can configure the session timeout interval for the users. The users are disconnected after the specified session timeout interval. To connect to the network again, the users need to be re-authenticated.

The session timeout interval for built-in Portal authentication users is calculated based on the device time. For example, if the session timeout interval is 6 hours and the device time is 2014-09-01 02:00:00 when a user was connected, the user should be disconnected at 2014-09-01 08:00:00. Therefore, ensure that the device time and time zone are correct after the session timeout interval is configured for users. If the device time is incorrect, users may fail to be connected or disconnected properly. You can run the display clock command to check the device time and the time zone.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal local-server timer session-timeout interval

    The session timeout interval is configured for users authenticated through the built-in Portal server.

    By default, the session timeout interval is 8 hours for users authenticated through the built-in Portal server.

(Optional) Configuring the Log Suppression Function for Users Authenticated Through the Built-in Portal Server

Context

The device generates logs when users authenticated through the built-in Portal server fail to go online or offline. If a user fails to go online or offline, the user attempts to go online or offline repeatedly, and the device generates a large number of logs within a short time. This results in a high failure rate in the statistics and degrades the system performance. You can enable the log suppression function for users authenticated through the built-in Portal server. The device then only generates one log if a user fails to go online or offline within a suppression period.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal local-server syslog-limit enable

    The log suppression function is enabled for users authenticated through the built-in Portal server.

    By default, the log suppression function is enabled for users authenticated through the built-in Portal server.

  3. (Optional) Run portal local-server syslog-limit period value

    The log suppression period is configured for users authenticated through the built-in Portal server.

    By default, the log suppression period is 300 seconds for users authenticated through the built-in Portal server.

Creating a Portal Access Profile

Context

The device uses Portal access profiles to uniformly manage all Portal users access configurations. Before configuring Portal authentication, you need to create a Portal access profile.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal-access-profile name access-profile-name

    A Portal access profile is created and the Portal access profile view is displayed.

    By default, the device has the built-in Portal access profile portal_access_profile.

    NOTE:
    • The compatibility profile converted after an upgrade is not counted in the configuration specification. The built-in portal access profile portal_access_profile can be modified and applied, but cannot be deleted.
    • Before deleting a portal access profile, ensure that this profile is not bound to any authentication profile.

Configuring a Built-in Portal Server for a Portal Access Profile

Context

To use Portal authentication, you must configure Portal server parameters on the device. The device supports external and built-in Portal servers. To use a built-in Portal server for authentication, you need to enable the built-in Portal server function globally, and then enable the built-in Portal server function in a Portal access profile. When users who use the Portal access profile attempt to access charged network resources, they are forcibly redirected to the authentication page of the Portal server for Portal authentication.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run portal-access-profile name access-profile-name

    The Portal access profile view is displayed.

  3. Run portal local-server enable

    The built-in Portal server function is enabled in the Portal access profile.

    By default, the built-in Portal server function is disabled in a Portal access profile.

  4. (Optional) Run portal local-server anonymous

    The anonymous login function is enabled for users authenticated through the built-in Portal server.

    By default, the anonymous login function is disabled for users authenticated through the built-in Portal server.

    In places such as airports, hotels, cafes, and public recreation places, the anonymous login function allows users to access the network without entering the user name and password, facilitating network service provisioning.

    When anonymous login is configured, it is recommended that you set AAA authentication mode to none authentication.

Verifying the Built-in Portal Server and Portal Access Profile Configuration

Context

After configuring a built-in Portal server and a Portal access profile, run the following commands to check the configuration.

Procedure

  • Run the display portal-access-profile configuration [ name access-profile-name ] command to check the configuration of the Portal access profile.
  • Run the display portal local-server command to check the configuration of the built-in Portal server.
  • Run the display portal local-server page-information command to check the page files loaded to the memory of a built-in Portal server.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141885

Views: 58582

Downloads: 10

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next