R2511-HP MSR Router Series Security Configuration Guide(V5)
306
• A Layer 2 interface in an aggregation group cannot be specified as the source interface of a
portal-free rule, and the source interface of a portal-free rule cannot be added to an aggregation
group.
Configuration procedure
To configure a portal-free rule:
Ste
p
Command
1. Enter system
view.
system-view
2. Configure a
portal-free rule.
portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length |
netmask } | any } } | source { any | [ interface interface-type interface-number | ip
{ ip-address mask { mask-length | mask } | any } | mac mac-address | vlan vlan-id ]
* } } *
Configuring an authentication source subnet
Only Layer 3 portal authentication supports this feature.
By configuring authentication source subnets, you specify that only HTTP packets from users on the
authentication source subnets can trigger portal authentication. If an unauthenticated user is not on any
authentication source subnet, the access device discards all the user's HTTP packets that do not match
any portal-free rule.
Configuration of authentication source subnets applies to only cross-subnet authentication. In direct
authentication mode, the authentication source subnet is 0.0.0.0/0. In re-DHCP authentication mode,
the authentication source subnet of an interface is the subnet to which the private IP address of the
interface belongs.
If both authentication source subnets and destination subnets are configured on an interface, only the
authentication destination subnet takes effect.
To configure an authentication source subnet:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface
view.
interface interface-type interface-number N/A
3. Configure an
authentication
source subnet.
portal auth-network network-address
{ mask-length | mask }
Optional.
By default, the authentication
source IP subnet is 0.0.0.0/0,
respectively, which mean that users
from any subnets must pass portal
authentication.
You can configure up to 16
authentication source subnets.
Configuring an authentication destination subnet
Only Layer 3 portal authentication supports this feature.