H3C Technologies H3C SecPath F1000-E User Manual

14

example, once detecting that the portal server is unreachable, the access device will allow portal users

to access network resources without authentication. This function is referred to as portal escape. It allows

for flexible user access control.
With the portal server detection function, the device can detect the status of a specific portal server. The

specific configurations include:

1.

Detection methods (you can choose either or both)

•

Probing HTTP connections: The access device periodically sends TCP connection requests to the
HTTP service port of the portal servers configured on its interfaces. If the TCP connection with a

portal server can be established, the access device considers that the probe succeeds, that is, the

HTTP service of the portal server is open and the portal server is reachable. If the TCP connection

cannot be established, the access device considers that the probe fails and the portal server is

unreachable.

•

Probing portal heartbeat packets: A portal server that supports the portal heartbeat function
(currently only the portal server of iMC supports this function) sends portal heartbeat packets to

portal access devices periodically. If an access device receives a portal heartbeat packet or an
authentication packet within a probe interval, the access device considers that the probe succeeds

and the portal server is reachable; otherwise, it considers that the probe fails and the portal server

is unreachable.

2.

Probe parameters

•

Probe interval: Interval at which probe attempts are made.

•

Maximum number of probe attempts: Maximum number of consecutive probe attempts allowed. If
the number of consecutive probes reaches this value, the access device considers that the portal

server is unreachable.

3.

Actions to be taken when the server reachability status changes (you can choose one or more)

•

Sending a trap message: When the status of a portal server changes, the access device sends a
trap message to the network management server (NMS). The trap message contains the portal

server name and the current state of the portal server.

•

Sending a log: When the status of a portal server changes, the access device sends a log message.
The log message indicates the portal server name and the current state and original state of the

portal server.

•

Disabling portal authentication (enabling portal escape): When the device detects that a portal
server is unreachable, it disables portal authentication on the interfaces that use the portal server,

that is, it allows all portal users on the interfaces to access network resources. Then, if the device

receives from the portal server portal heartbeat packets or authentication packets (such as logon

requests and logout requests), it re-enables the portal authentication function.

You can configure any combination of the configuration items described above as needed, with respect

of the following:

•

If both detection methods are specified, a portal server will be regarded as unreachable as long as
one detection method fails, and an unreachable portal server will be regarded as recovered only

when both detection methods succeed.

•

If multiple actions are specified, the device will execute all the specified actions when the status of
a portal server changes.

•

The detection function configured for a portal server takes effect on an interface only after you
reference the portal server on the interface.

Follow these steps to configure the portal server detection function: