R3303-HP HSR6800 Routers Security Configuration Guide
130
You can modify the authorized ACLs on the access device. However, your changes take effect only on
portal users logging on after the modification.
Specifying a portal server for Layer 3 portal
authentication
Perform this task to specify portal server parameters for Layer 3 portal authentication, including the portal
server IP address, shared encryption key, server port, and the URL address for Web authentication.
Follow these guidelines when you specify a portal server for Layer 3 authentication:
• The specified parameters of a portal server can be modified or deleted only if the portal server is
not referenced on any interface.
• To make sure the device can send packets to the portal server in an MPLS VPN, specify the VPN
instance to which the portal server belongs when specifying the portal server on the device.
To specify a portal server for Layer 3 authentication:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Specify a portal server and
configure related parameters.
portal server server-name ip
ip-address [ key [ cipher | simple ]
key-string | port port-id |
server-type { cmcc | imc } | url
url-string | vpn-instance
vpn-instance-name ] *
By default, no portal server is
specified.
Enabling Layer 3 portal authentication
You must first enable portal authentication on an access interface before it can perform portal
authentication for connected clients.
Configuration guidelines
• You can enable both direct/cross-subnet portal authentication and 802.1X authentication on a
Layer 3 interface, and a user can access the network after passing either authentication. If you
enable both 802.1X authentication and re-DHCP portal authentication on a Layer 3 interface,
portal authentication will fail. For information about 802.1X, see "Configuring 802.1X."
• The destination port number that the access device uses for sending unsolicited packets to the portal
server must be the same as the port number that the remote portal server actually uses.
• The portal server and its parameters can be deleted or modified only when the portal server is not
referenced by any interface.
• Cross-subnet authentication mode (portal server server-name method layer3) does not require
Layer 3 forwarding devices between the access device and the authentication clients. However, if
Layer 3 forwarding devices exist between the authentication client and the access device, you must
select the cross-subnet portal authentication mode.
• In re-DHCP authentication mode, a client can use a public IP address to send packets before
passing portal authentication. However, responses to the packets are restricted.