HP 5500 Ei 5500 Si Switch Series Configuration Guide

 146 
     
     
     
     
     \
    ... ... 
 
    ... ... 
     
     
 
Redirecting authenticated users to a specified web page 
To make the device automatically redirect authenticated users to a specified web page, do the following 
in logon.htm and logonSuccess.htm: 
1. In logon.htm, set the targ et attribute of Form to blank. 
See the contents in gray: 
     
2.  Add the function for page loading pt_init() to logonSucceess.htm. 
See the contents in gray: 
     
     
    LogonSuccessed...

 147 
•  Configure PKI policies, obtain the CA certificate, and apply for a local certificate. For more 
information, see 
1Configuring PKI . 
•   Configure the SSL server policy, and specify the PKI domain to be used, which is configured in the 
above step. For more information, see  Configuring SSL. 
W

hen you specify the protocol for the local portal se rver to support, the local portal server will load the 
default authentication page file, which is supposed to be saved in the root directory of the...

 148 
Step Command Remarks 
3.  Enable Layer 2 portal 
authentication on the port.  portal local-server enable 
Not enabled by default. 
 
Enabling Layer 3 portal authentication (available only on the 
HP 5500 EI series) 
Before enabling Layer 3 portal authentication on an interface, make sure that:  
•  An IP address is configured for the interface. 
•   The interface is not added to any port aggregation group. 
•   Layer 2 portal authentication is not enabled on any ports.  
Follow these guidelines...

 149 
Controlling access of portal users 
Configuring a portal-free rule 
A portal-free rule allows specified users to access specified external websites without portal 
authentication.  
The matching items for a portal-free rule include  the source and destination IP address, source MAC 
address, inbound interface, and VLAN. Packets matc hing a portal-free rule will not trigger portal 
authentication, so that users sending the packets ca n directly access the specified external websites. 
For Layer 2...

 150 
 NOTE: 
Regardless of whether portal authentication is enabled  or not, you can only add or remove a portal-free
rule. You cannot modify it. 
 
Configuring an authentication source subnet (available only on 
the HP 5500 EI series) 
Only Layer 3 portal authentication supports this feature. 
By configuring authentication source subnets, you specify that only HTTP packets from users on the 
authentication source subnets can trigger portal authentication. If an unauthenticated user is not on any...

 151 
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Set the maximum number of 
online portal users.  portal
 max-user max-number  By default, the maximum number is 
3000 on the HP 5500 EI series 
and 1000 on the HP 5500 SI 
series. 
 
 
NOTE: 
The maximum number of online portal users the swit ch actually assigns depends on the ACL resources on
the switch. 
 
Specifying an authentication domain for portal users 
After you specify an authentication domain for portal users on an...

 152 
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Add a web proxy server 
port number.  portal web-proxy port
 port-number By default, no web proxy 
server port number is 
configured and proxied HTTP 
requests cannot trigger portal 
authentication.  
 
Enabling support for portal user moving 
Only Layer 2 portal authentication supports this feature. 
In scenarios where there are hubs, Layer 2 switches, or APs between users and the access devices, if an 
authenticated user moves...

 153 
This task sets the Auth-Fail VLAN to be assigned to users failing portal authentication. You can specify 
different Auth-Fail VLANs for portal authentication on different ports. A port can be specified with only 
one Auth-Fail VLAN for portal authentication. 
Before specifying an Auth-Fail VLAN, be sure to create the VLAN. 
To specify an Auth-Fail VLAN for portal authentication: 
 
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Enter Layer 2 Ethernet 
interface view....

 154 
Specifying a NAS ID profile for an interface 
In some networks, users access points are identified by their access VLANs. Network carriers need to 
use NAS-identifiers to identify user access points. With a NAS ID profile specified on an interface, when 
a user logs in from the interface, the access device checks the specified profile to obtain the NAS ID that 
is bound with the access VLAN. The value of this NAS ID is used as that of the NAS-identifier attribute 
in the RADIUS packets to be sent...

 155 
Step Command Remarks 
3.  Specify a source IP address 
for outgoing portal packets.  portal nas-ip 
{ ipv4-address  | ipv6 
ipv6-address }   Optional. 
By default, no source IP address is 
specified for outgoing portal 
packets and the IP address of the 
user logon interface is used as the 
source IP address of the outgoing 
portal packets. 
In NAT environments, HP 
recommends specifying the 
interfaces public IP address as the 
source IP address of outgoing 
portal packets. 
 
Configuring portal...