R3721-F3210-F3171-HP High-End Firewalls Access Control Configuration Guide-6PW101
124
• If the firewall receives no reply from a portal user after sending probe packets to the portal user for
the maximum number of times, it considers that the portal user is offline and will stop sending probe
packets to the portal user and delete the user.
To configure online Layer 3 portal user detection:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure online Layer 3
portal user detection.
access-user detect type arp
retransmit number interval interval
Not configured by default.
NOTE:
A
djust the maximum number of transmission attempts and the interval of sending probe packets
according to the actual network conditions.
Configuring the portal server detection function
During portal authentication, if the communication between the access device and portal server is
broken off, new portal users will not be able to log on and the online portal users will not be able to log
off normally. To address this problem, the access device needs to be able to detect the reachability
changes of the portal server quickly and take corresponding actions to deal with the changes. For
example, once detecting that the portal server is unreachable, the access device will allow portal users
to access network resources without authentication. This function is referred to as portal authentication
bypass. It allows for flexible user access control.
With the portal server detection function, the access device can detect the status of a specific portal
server. The specific configurations include:
• Detection methods (you can choose either or both)
{ Probing HTTP connections: The access device periodically sends TCP connection requests to
the HTTP service port of the portal servers configured on its interfaces. If the TCP connection
with a portal server can be established, the access device considers that the probe succeeds
(the HTTP service of the portal server is open and the portal server is reachable). If the TCP
connection cannot be established, the access device considers that the probe fails and the
portal server is unreachable.
{ Probing portal heartbeat packets: A portal server that supports the portal heartbeat function
(currently only the portal server of IMC supports this function) sends portal heartbeat packets to
portal access devices periodically. If an access device receives a portal heartbeat packet or an
authentication packet within a probe interval, the access device considers that the probe
succeeds and the portal server is reachable; otherwise, it considers that the probe fails and the
portal server is unreachable.
• Probe parameters
{ Probe interval: Interval at which probe attempts are made.
{ Maximum number of probe attempts: Maximum number of consecutive probe attempts
allowed. If the number of consecutive probes reaches this value, the access device considers
that the portal server is unreachable.
• Actions to be taken when the server reachability status changes (you can choose one or more)