R3303-HP 6600/HSR6600 Routers Security Configuration Guide
132
Configuration guidelines
• You can enable both direct/cross-subnet portal authentication and 802.1X authentication on a
Layer 3 interface, and a user can access the network after passing either authentication. If you
enable both 802.1X authentication and re-DHCP portal authentication on a Layer 3 interface,
portal authentication will fail. For information about 802.1X, see "Configuring 802.1X."
• The destination port number that the access device uses for sending unsolicited packets to the portal
server must be the same as the port number that the remote portal server actually uses.
• The portal server and its parameters can be deleted or modified only when the portal server is not
referenced by any interface.
• Cross-subnet authentication mode (portal server server-name method layer3) does not require
Layer 3 forwarding devices between the access device and the authentication clients. However, if
Layer 3 forwarding devices exist between the authentication client and the access device, you must
select the cross-subnet portal authentication mode.
• In re-DHCP authentication mode, a client can use a public IP address to send packets before
passing portal authentication. However, responses to the packets are restricted.
Configuration prerequisites
Before enabling Layer 3 portal authentication on an interface, make sure:
• An IP address is configured for the interface.
• The interface is not added to any port aggregation group.
• The portal server to be referenced on the interface exists.
Configuration procedure
To enable Layer 3 portal authentication:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
The interface must be a Layer 3
Ethernet interface.
3. Enable Layer 3 portal
authentication on the
interface.
portal server server-name method
{ direct | layer3 | redhcp }
Not enabled by default.
Controlling access of portal users
Configuring a portal-free rule
A portal-free rule allows specified users to access specified external websites without portal
authentication.
The matching items for a portal-free rule include the source and destination IP address, TCP/UDP port
number, source MAC address, inbound interface, and VLAN. Packets matching a portal-free rule will not
trigger portal authentication, so users sending the packets can directly access the specified external
websites.