HP A 5120 Manual

 
121 
 NOTE: 
 If the port number of a web proxy server is 80, you do not need to configure the port number of the server on 
the device. 
 If a user’s browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover web proxy servers, you 
need to add the port numbers of the web proxy servers on the device, and configure portal-free rules to allow 
user packets destined for the IP address of the WPAD server to pass without authentication. 
 For Layer 2 portal authentication, you need to add the...

 
122 
Specifying the Auth-Fail VLAN for portal 
authentication 
 
 NOTE: 
Only Layer 2 portal authentication supports this feature.  
You can specify the Auth-Fail VLAN to be assigned to users failing portal authentication. 
Before specifying the Auth-Fail VLAN, be sure to create the VLAN. 
Follow these steps to specify the Auth-Fail VLAN for portal authentication: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter Layer 2 Ethernet interface 
view 
interface interface-type...

 
123 
 NOTE: 
The wait-time period keyword and argument combination is effective to only local portal authentication.  
Configuring portal detection functions 
After a Layer 2 portal user gets online, the device starts a detection timer for the user, and checks whether 
the  user’s  MAC  address  entry  has  been  aged  out  or the  user’s  MAC  address  entry  has  been  matched (a 
match  means  a packet has  been  received  from  the  user)  at the  interval.  If  the  device  finds no MAC 
address...

 
124 
To do… Use the command… Remarks 
Display TCP spoofing statistics 
display portal tcp-cheat statistics [ | { 
begin | exclude | include } regular-
expression ] 
Available in any view 
Display information about portal 
users on a specified interface or 
all interfaces 
display portal user { all | interface 
interface-type interface-number } [ | { 
begin | exclude | include } regular-
expression ] 
Available in any view 
Clear TCP spoofing statistics reset portal tcp-cheat statistics Available in...

 
125 
Figure 43 Network diagram for Layer 2 portal authentication configuration 
 
 
Configuration procedures 
 
 NOTE: 
 Ensure that the host, switch, and servers can reach each other before portal authentication is enabled. 
 Configure the RADIUS server properly to provide normal authentication/authorization/accounting functions for 
users. In this example, you need to create a portal user account with the account name userpt on the RADIUS 
server, and configure an authorized VLAN for the account....

 
126 
# Configure the local portal server to support HTTPS and reference SSL server policy sslsvr. 
[Switch] portal local-server https server-policy sslsvr 
# Configure the IP address of loopback interface 12 as 4.4.4.4. 
[Switch] interface loopback 12 
[Switch-LoopBack12] ip address 4.4.4.4 32 
[Switch-LoopBack12] quit 
# Specify  IP  address 4.4.4.4  as  the  listening  IP  address  of  the  local  portal  server  for  Layer  2  portal 
authentication. 
[Switch] portal local-server ip 4.4.4.4 
#...

 
127 
# Enable DHCP. 
[Switch] dhcp enable 
# Create DHCP server group 1 and add DHCP server 1.1.1.3 into the group. 
[Switch] dhcp relay server-group 1 ip 1.1.1.3 
# Enable the DHCP relay agent on VLAN-interface 8. 
[Switch] interface vlan-interface 8 
[Switch-Vlan-interface8] dhcp select relay 
# Correlate DHCP server group 1 with VLAN-interface 8. 
[Switch-Vlan-interface8] dhcp relay server-select 1 
[Switch-Vlan-interface8] quit 
# Enable the DHCP relay agent on VLAN-interface 2. 
[Switch] interface...

 
128 
Use the display mac-vlan all command to view the generated MAC-VLAN entries, which record the MAC 
addresses passing authentication and the corresponding VLANs. 
[Switch] display mac-vlan all 
  The following MAC VLAN addresses exist: 
  S:Static  D:Dynamic 
  MAC ADDR         MASK             VLAN ID   PRIO   STATE 
  -------------------------------------------------------- 
  0015-e9a6-7cfe   ffff-ffff-ffff   3         0      D 
  Total MAC VLAN address count:1 
If a client fails...

 
129 
the portal server can receive the ACK_LOGOUT message correctly, no matter whether the listening port is 
configured on the access device. The user can log off the portal server. 
Solution 
Use the display portal server command to display the listening port of the portal server configured on the 
access  device and  use  the portal  server command  in  the  system  view  to  modify  it  to  ensure  that  it  is  the 
actual listening port of the portal server. 
  

 
130 
Triple authentication configuration 
Triple authentication overview 
The  terminals  in  a  LAN  may  support different authentication  methods.  As  shown  in Figure  44,  a  printer 
supports  only  MAC  authentication,  a  PC  installed  with  the  802.1X  client  supports  802.1X  authentication, 
and the other PC carries out portal authentication. To satisfy the different authentication requirements, the 
port of  the  access  device  which  connects  to  the  terminals  needs  to support all...