Configure L3 Portal Authentication Function
Configuration Condition
To enable the L3 Portal authentication function, it is necessary to meet the following condition:
- The Portal server is created on the authentication device
Enable Ordinary L3 Portal Authentication Function
On the L3 interface of the authentication device connecting the user, enable the ordinary L3 Portal authentication function. The ordinary L3 authentication mode has two control modes:
- Control based on the source IP: Permit the authenticated packet with the valid source IP to pass
- Control based on the source IP + source MAC: Permit the authenticated packet with the valid source IP and source MAC address to pass
Table 13–9 Enable the ordinary L3 Portal authentication function
Step
|
Command
|
Description
|
Enter the global configuration mode
|
configure terminal
|
-
|
Enter the interface configuration mode
|
interface interface-name
|
-
|
Enable the ordinary L3 Portal authentication function
|
portal server server-name method layer3 [ ip | ip-mac ]
|
Mandatory
By default, the ordinary L3 Portal authentication function is disabled.
|
-
You cannot enable the 802.1X authentication and MAC authentication function on the port that is enabled with the ordinary L3 Portal authentication.
- You cannot enable the L2 Portal authentication function on the port that is enabled with the ordinary L3 Portal authentication.
- When the port enabled with the L2 Portal authentication is added to the VLAN interface enabled with the ordinary L3 Portal authentication, the L2 Portal authentication will be disabled.
Enable the Portal Authentication Function of Secondary Address Assignment
Enable the Portal authentication function of the secondary address assignment on the L3 interface of the authentication user connecting the user. The Portal authentication function of the secondary address assignment controls based on the source IP + source MAC, permitting the authenticated packet with the valid source IP and source MAC address to pass.
To configure the Portal authentication function of secondary address assignment, it is necessary to meet the following conditions:
- Configure the active and standby IP addresses on the interface
- The DHCP Relay and DHCP Snooping functions need to be configured on the authentication device.
Table 13–10 Enable the Portal authentication function of the secondary address assignment
Step
|
Command
|
Description
|
Enter the global configuration mode
|
configure terminal
|
-
|
Enter the interface configuration mode
|
interface interface-name
|
-
|
Enable the Portal authentication function of the secondary address assignment
|
portal server server-name method redhcp
|
Mandatory
By default, the Portal authentication function of the secondary address assignment is disabled on the interface.
|
-
You cannot enable the 802.1X authentication and MAC authentication function on the port that is enabled with the Portal authentication interface of the secondary address assignment.
- You cannot enable the L2 Portal authentication function on the port that is enabled with the Portal authentication interface of the secondary address assignment.
- When the port enabled with the L2 Portal authentication is added to the VLAN interface enabled with the Portal authentication of the secondary address assignment, the L2 Portal authentication will be disabled.
- The Portal authentication mode of the secondary address assignment needs to be supported by the Portal client and Portal server at the same time. Otherwise, the authentication cannot be done.
Configure and Apply Secure Channel
After enabling the L3 authentication function on the L3 interface, it is necessary to configure and apply the secure channel if hoping to allow the terminal users to access the resources in the specified network without authentication or to specify the specific terminal users to access the network resources without authentication.
Configuring the secure channel rules can be divided to the following types:
- Configure the terminal user to permit accessing the specified network resources
- Configure the specified terminal user to permit accessing network resources
Table 13–11 Apply the secure channel
Step
|
Command
|
Description
|
Enter global configuration mode
|
configure terminal
|
-
|
Configure the secure channel
|
hybrid access-list advanced { access-list-number | access-list-name }
|
Mandatory
By default, the secure channel is not configured in the device.
|
Configure the secure channel rules
|
[ sequence ] permit protocol { any | source-ip-addr source-wildcard | host source-ip-addr } { any | source-mac-addr source-wildcard | host source-mac-addr } { any | destination-ip-addr destination-wildcard | host destination-ip-addr } { any | destination-mac-addr destination-wildcard | host destination-mac-addr }
|
Mandatory
By default, there is no secure channel rule in the secure channel.
|
Apply the secure channel
|
global security access-group { access-group-number | access-group-name }
|
Mandatory
By default, do not apply any secure channel in the system.
|
-
The device can configure multiple secure channels, and one secure channel can be configured with multiple secure channel rules.
- The secure channel type can only be the mixed advanced ACL. In the device, only permit applying one secure channel.