R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

321

322

323

324

325

326

327

328

329

330

309

Feature

MSR90

MSR93

MSR20-

MSR20

MSR30

MSR5

MSR1

000

Support for

portal user

moving

No No No No

Supported on MIM-FSW

modules, MSR30-11E,

and MSR30-11F

No No

In cases where there are hubs, Layer 2 switches, or APs between users and the access devices and an

authenticated user moves from the current access port to another Layer 2-portal-authentication-enabled

port of the device without logging off, the user will not have access as long as the original port is still

active. This occurs because the original port maintains the authentication information of the user and, by

default, the device does not permit such users online access from another port by default.

When support for portal user moving is enabled on the device, either of the following occurs:

• If the original port is still up and the two ports belong to the same VLAN, the device allows the user

to continue to access the network without re-authentication, and uses the new port information for

user accounting.

• If the original port is down or the two ports belong to different VLANs, the device removes the

authentication information of the user from the original port and authenticates the user on the new

port.

To enable support for portal user moving:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable support for portal

user moving.

portal move-mode auto Disabled by default.

NOTE:

For a user with authorization information configured, after the user moves from a port to another, the

device tries to assi

n the authorization information to the new port. If the operation fails, the device deletes

the user's information from the original port and re-authenticates the user on the new port.

Configuring RADIUS related attributes

Only Layer 3 portal authentication supports this feature.

Specifying NAS-Port-Type for an interface

NAS-Port-Type is a standard RADIUS attribute for indicating a user access port type. With this attribute

specified on an interface, when a portal user logs on from the interface, the device uses the specified

NAS-Port-Type value as that in the RADIUS request to be sent to the RADIUS server. If NAS-Port-Type is not

specified, the device uses the access port type obtained.

If there are multiple network devices between the Broadband Access Server (the portal authentication

access device) and a portal client, the BAS might not be able to obtain a user's correct access port

information. For example, for a wireless client using portal authentication, the access port type obtained

by the BAS might be the type of the wired port that authenticates the user. To make sure that the BAS

delivers the right access port information to the RADIUS server, specify the NAS-Port-Type according to

the practical access environment.