R2511-HP MSR Router Series Security Configuration Guide(V5)
304
An AC in a different subnet from an AP cannot obtain the SSID of a client associated with that AP and
thus does not support binding SSIDs to an authentication page file. For more information about AC and
SSID, see WLAN Configuration Guide.
Enabling portal authentication
You must first enable portal authentication on an access interface before it can perform portal
authentication for connected clients.
Enabling Layer 2 portal authentication
Before enabling Layer 2 portal authentication, make sure the following requirements are met:
• The listening IP address of the local portal server is specified.
• Layer 3 portal authentication is not enabled on any interface.
To enable Layer 2 portal authentication:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter Layer 2 Ethernet
interface view.
interface interface-type
interface-number
N/A
3. Enable Layer 2 portal
authentication on the port.
portal local-server enable Not enabled by default.
NOTE:
To ensure normal operation of portal authentication on a Layer 2 port, do not enable port security,
g
ues
t
V
LAN of 802.1X, or EAD fast deployment of 802.1X on the port.
Enabling Layer 3 portal authentication
Configuration guidelines
• You cannot enable portal authentication on a Layer 3 interface added to an aggregation group,
nor can you add a portal-enabled Layer 3 interface to an aggregation group.
• You can enable both direct/cross-subnet portal authentication and 802.1X authentication on a
Layer 3 interface, and a user can access the network after passing either authentication. If you
enable both 802.1X authentication and re-DHCP portal authentication on a Layer 3 interface,
portal authentication will fail. For information about 802.1X, see "Configuring 802.1X."
• The destination port number that the access device uses for sending unsolicited packets to the portal
server must be the same as the port number that the remote portal server actually uses.
• The portal server and its parameters can be deleted or modified only when the portal server is not
referenced by any interface.
• Cross-subnet authentication mode (portal server server-name method layer3) does not require
Layer 3 forwarding devices between the access device and the authentication clients. However, if
Layer 3 forwarding devices exist between the authentication client and the access device, you must
select the cross-subnet portal authentication mode.