Configuring the portal server detection function – H3C Technologies H3C SecPath F1000-E User Manual
Page 134
124
NOTE:
Adjust the maximum number of transmission attempts and the interval of sending probe packets
according to the actual network conditions.
Configuring the portal server detection function
During portal authentication, if the communication between the access device and portal server is
broken off, new portal users will not be able to log on and the online portal users will not be able to log
off normally. To address this problem, the access device needs to be able to detect the reachability
changes of the portal server quickly and take corresponding actions to deal with the changes. For
example, once detecting that the portal server is unreachable, the access device will allow portal users
to access network resources without authentication. This function is referred to as portal authentication
bypass. It allows for flexible user access control.
With the portal server detection function, the access device can detect the status of a specific portal
server. The specific configurations include:
•
Detection methods (you can choose either or both)
{
Probing HTTP connections—The access device periodically sends TCP connection requests to
the HTTP service port of the portal servers configured on its interfaces. If the TCP connection with
a portal server can be established, the access device considers that the probe succeeds (the
HTTP service of the portal server is open and the portal server is reachable). If the TCP
connection cannot be established, the access device considers that the probe fails and the
portal server is unreachable.
{
Probing portal heartbeat packets—A portal server that supports the portal heartbeat function
(only the IMC portal server supports this function) sends portal heartbeat packets to portal
access devices periodically. If an access device receives a portal heartbeat packet or an
authentication packet within a probe interval, the access device considers that the probe
succeeds and the portal server is reachable. Otherwise, it considers that the probe fails and the
portal server is unreachable.
•
Probe parameters
{
Probe interval—Interval at which probe attempts are made.
{
Maximum number of probe attempts—Maximum number of consecutive probe attempts
allowed. If the number of consecutive probes reaches this value, the access device considers
that the portal server is unreachable.
•
Actions to be taken when the server reachability status changes (you can choose one or more)
{
Sending a trap message—When the status of a portal server changes, the access device sends
a trap message to the network management server (NMS). The trap message contains the
portal server name and the current state of the portal server.
{
Sending a log—When the status of a portal server changes, the access device sends a log
message. The log message indicates the portal server name and the current state and original
state of the portal server.
{
Disabling portal authentication (enabling portal authentication bypass)—When the access
device detects that a portal server is unreachable, it disables portal authentication on the
interfaces that use the portal server (allows all portal users on the interfaces to access network
resources). When the access device receives from the portal server portal heartbeat packets or
authentication packets (such as logon requests and logout requests), it re-enables the portal
authentication function.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS