F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Configuration Guide-6PW100
161
381BConfiguration prerequisites
To configure the local portal server to support HTTPS, complete the following configurations first:
• Configure PKI policies, obtain the CA certificate, and apply for a local certificate. For more
information, see VPN Configuration Guide.
• Configure the SSL server policy, and specify the PKI domain to be used, which is configured in the
above step. For more information, see Network Management Configuration Guide.
When you specify the protocol for the local portal server to support, the local portal server will load the
default authentication page file, which is supposed to be saved in the root directory of the device.
Therefore, to make sure the local portal server uses the user-defined default authentication pages, you
must edit and save them properly or else the system default authentication pages are used.
382BConfiguration procedure
To configure the local portal server:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure the protocol type for
the local portal server to support
and load the default
authentication page file.
portal local-server { http | https
server-policy policy-name }
By default, the local portal server
does not support any protocol.
3. Configure the welcome banner of
the default authentication pages
of the local portal server.
portal server banner
banner-string
Optional.
No welcome banner by default.
67B
Enabling Layer 3 portal authentication
You must first enable layer 3 portal authentication on an access interface before it can perform portal
authentication for connected clients.
201BConfiguration prerequisites
Before enabling Layer 3 portal authentication on an interface, make sure:
• An IP address is configured for the interface.
• The interface is not added to any port aggregation group.
• The portal server to be referenced on the interface exists.
202BConfiguration guidelines
• You cannot enable portal authentication on a Layer 3 interface added to an aggregation group,
nor can you add a portal-enabled Layer 3 interface to an aggregation group.
• The destination port number that the access device uses for sending unsolicited packets to the portal
server must be the same as the port number that the remote portal server actually uses.
• The portal server and its parameters can be deleted or modified only when the portal server is not
referenced by any interface.
• Cross-subnet authentication mode (portal server server-name method layer3) does not require
Layer 3 forwarding devices between the access device and the authentication clients. However, if