Configuring Layer 2 Portal Authentication To Support Web Proxy; Enabling Support For Portal User Moving - H3C S5500-EI Series Security Configuration Manual
Hide thumbs
Also See for S5500-EI Series:
- Operation manual (1529 pages) ,
- Configuration manual (490 pages) ,
- Quick start manual (91 pages)
Table of Contents
Advertisement
and the system default authentication domain. For information about the default authentication domain,
see
"Configuring
Configuring Layer 2 portal authentication to support Web
proxy
By default, proxied HTTP requests cannot trigger Layer 2 portal authentication but are silently dropped.
To allow such HTTP requests to trigger portal authentication, configure the port numbers of the Web
proxy servers on the switch.
If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover Web proxy servers,
add the port numbers of the Web proxy servers on the switch, and configure portal-free rules to allow
user packets destined for the IP address of the WPAD server to pass without authentication.
You must add the port numbers of the Web proxy servers on the switch and users must make sure their
browsers that use a Web proxy server do not use the proxy server for the listening IP address of the local
portal server. Thus, HTTP packets that the portal user sends to the local portal server are not sent to the
Web proxy server.
To configure Layer 2 portal authentication to support a Web proxy:
Step
1.
Enter system view.
2.
Add a Web proxy server
port number.
Enabling support for portal user moving
Only Layer 2 portal authentication supports this feature.
In scenarios where there are hubs, Layer 2 switches, or APs between users and the access devices, if an
authenticated user moves from the current access port to another Layer 2-portal-authentication-enabled
port of the device without logging off, the user cannot get online when the original port is still up. The
reason is that the original port is still maintaining the authentication information of the user and the
device does not permit such a user to get online from another port by default.
To solve the problem described above, enable support for portal user moving on the device. Then, when
a user moves from a port of the device to another, the device provides services in either of the following
ways:
If the original port is still up and the two ports belong to the same VLAN, the device allows the user
•
to continue to access the network without re-authentication, and uses the new port information for
user accounting.
If the original port is down or the two ports belong to different VLANs, the device removes the
•
authentication information of the user from the original port and authenticates the user on the new
port.
To enable support for portal user moving:
AAA."
Command
system-view
portal web-proxy port port-number
155
Remarks
N/A
By default, no Web proxy
server port number is
configured and proxied HTTP
requests cannot trigger portal
authentication.
Advertisement
Table of Contents
Troubleshooting
