H3C MSR Series Command Reference Manual page 387

Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users.
domain-name: Specifies an existing ISP domain by its name, a case-insensitive string of 1 to 255
characters. The string cannot contain the following characters: slashes (/), backslashes (\), vertical
bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right
angle brackets (>), and at signs (@).
Usage guidelines
After you configure a preauthentication domain on a portal-enabled interface, the device authorizes
users on the interface as follows:
1. After an unauthenticated user obtains an IP address, the user is assigned with authorization
attributes configured for the preauthentication domain.
The authorization attributes in a preauthentication domain include ACL, user profile, and CAR.
An unauthenticated user who is authorized with the authorization attributes in a
preauthentication domain is called a preauthentication user.
2. After the user passes portal authentication, the user is assigned with new authorization
attributes from the AAA server.
3. After the user goes offline, the user is reassigned with the authorization attributes in the
preauthentication domain.
The preauthentication domain takes effect only on portal users with IP addresses assigned by DHCP
or DHCPv6.
Make sure you specify an existing ISP domain as a preauthentication domain. If the specified ISP
domain does not exist, the device might operate incorrectly.
You must delete a preauthentication domain (by using the undo portal [ ipv6 ] pre-auth domain
command) and reconfigure it in the following situations:
•
You create the ISP domain after specifying it as the preauthentication domain.
•
You delete the specified ISP domain and then re-create it.
If you change the preauthentication domain on an interface, the interface uses the new
preauthentication domain for both new and existing preauthentication users.
If authorization attributes in the preauthentication domain are modified, the modified attributes take
effect only on new preauthentication users. Existing preauthentication users use the original
authorization attributes.
If the ACL in the preauthentication domain does not exist or the ACL has no rules, the device does
not control user access. Users can access any network resources without passing portal
authentication.
Follow these guidelines when you configure a preauthentication ACL rule:
•
Do not specify a source address. If you specify a source address, users cannot trigger portal
authentication.
•
Do not set the destination address to any. If you set the destination address to any, all packets
will be permitted to pass and therefore users can access any resources before portal
authentication.
Examples
# Create the preauthentication domain abc for GigabitEthernet 1/0/1.
364