R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

121

122

123

124

125

126

127

128

129

130

119

• In re-DHCP authentication mode, a client can use a public IP address to send packets before

passing portal authentication. However, responses to the packets are restricted.

Configuration procedure

To enable Layer 3 portal authentication:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter interface view.

interface interface-type

interface-number

The interface must be a Layer 3

Ethernet interface.

3. Enable Layer 3 portal

authentication on the

interface.

portal server server-name method

{ direct | layer3 | redhcp }

Not enabled by default.

NOTE:

• You cannot enable portal authentication on a Layer 3 interface added to an a

ation

roup, nor can

you add a portal-enabled Layer 3 interface to an aggregation group.

• The destination port number that the firewall uses for sending unsolicited packets to the portal server

must be the same as that which the remote portal server actually uses.

• The portal server and its parameters can be deleted or modified only when the portal server is not

referenced by any interface.

• Cross-subnet authentication mode (portal server

server-name

method layer3) does not require Layer 3

forwarding devices between the access device and the authentication clients. However, if there are Layer

3 forwarding devices between the authentication client and the access device, you must select the

cross-subnet portal authentication mode.

• In re-DHCP authentication mode, a client can use a public IP address to send packets before passing

portal authentication. However, responses to the packets are restricted.

Controlling access of portal users

Configuring a portal-free rule

A portal-free rule allows specified users to access specified external websites without portal

authentication.

The matching items for a portal-free rule include the source and destination IP address, source MAC

address, inbound interface, and VLAN. Packets matching a portal-free rule will not trigger portal

authentication, so that users sending the packets can directly access the specified external websites.

When you configure a portal-free rule, follow these guidelines:

• If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the

VLAN. Otherwise, the rule does not take effect.

• You cannot configure two or more portal-free rules with the same filtering criteria. Otherwise, the

system prompts that the rule already exists.

• A Layer 2 interface in an aggregation group cannot be specified as the source interface of a

portal-free rule, and the source interface of a portal-free rule cannot be added to an aggregation

group.