Specifying A Preauthentication Domain - HPE FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
Step
3.
Specify an IPv6 portal
authentication domain.
Specifying a preauthentication domain
The preauthentication domain takes effect only on portal users with IP addresses obtained through
DHCP or DHCPv6.
After you configure a preauthentication domain on a portal-enabled interface, the device authorizes
users on the interface as follows:
1.
After an unauthenticated user obtains an IP address, the user is assigned authorization
attributes configured for the preauthentication domain.
The authorization attributes in a preauthentication domain include ACL and CAR.
An unauthenticated user who is authorized with the authorization attributes in a
preauthentication domain is called a preauthentication user.
2.
After the user passes portal authentication, the user is assigned new authorization attributes
from the AAA server.
3.
After the user goes offline, the user is reassigned the authorization attributes in the
preauthentication domain.
To avoid that portal users fail to come online because of ACL authorization failure, follow these
restrictions when you configure authorization ACL rules in the preauthentication domain:
•
If the authorization ACL is an IPv4 ACL, specify only the destination IPv4 address, protocol,
DSCP priority, TCP or UDP source port, and TCP or UDP destination port.
•
If the authorization ACL is an IPv6 ACL, specify only the destination IPv6 address, protocol,
DSCP priority, TCP or UDP source port, and TCP or UDP destination port.
•
If the authorization ACL is a Layer 2 ACL, specify only the destination MAC address and link
layer protocol.
The preauthentication domain does not take effect on interfaces enabled with cross-subnet portal
authentication.
Make sure you specify an existing ISP domain as a preauthentication domain. If the specified ISP
domain does not exist, the device might operate incorrectly.
You must delete a preauthentication domain (by using the undo portal [ ipv6 ] pre-auth domain
command) and reconfigure it in the following situations:
•
You create the ISP domain after specifying it as the preauthentication domain.
•
You delete the specified ISP domain and then re-create it.
To specify a preauthentication domain:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Specify a preauthentication
domain.
Command
portal ipv6 domain
domain-name
Command
system-view
interface interface-type
interface-number
portal [ ipv6 ] pre-auth domain
domain-name
183
Remarks
By default, no ISP domain is
specified for IPv6 portal users on
the interface.
Remarks
N/A
N/A
By default, no preauthentication
domain is specified on an
interface.
Advertisement
Table of Contents
Troubleshooting
