Configuring portal stateful failover
![[CAUTION: ]](images/caution.png) | CAUTION: Specifying or changing the device ID of a device will log off all online users on the device. Therefore, perform the configuration only when necessary and, after the configuration, save the configuration and restart the device. When two devices are running in stateful failover mode (one active, the other standby), do not delete the configured backup source IP addresses. Otherwise, online users on the backup may not be able to receive packets from the server. | |
Only Layer 3 portal authentication supports this feature.
To implement stateful failover for portal, configure VRRP for traffic switchover, and perform the following configurations for service backup on each of the two devices that back up each other:
Specify an interface for backing up portal services, which is referred to as portal service backup interface in this document, and enable portal on the portal service backup interface. The portal service backup interface is different from the stateful failover interface. Stateful failover interfaces only forward state negotiation messages and backup data.
Specify the portal group to which the portal service backup interface belongs. Be sure to specify the same portal group for the portal service backup interfaces that back up each other on the two devices.
Specify the device ID. Make sure that the device ID of the local device is different from that of the peer device.
Specify the backup source IP address for outgoing RADIUS packets as the source IP address for RADIUS packets that is configured on the peer device, so that the peer device can receive packets from the server. (This configuration is optional.)
Specify the stateful failover backup VLAN, and enable stateful failover. For related configuration, see High Availability Configuration Guide.
After the stateful failover state of the two devices changes from independence to synchronization and the portal group takes effect, the two devices start to back up the data of online portal users for each other.
Configuration guidelines
In stateful failover mode, the device does not support re-DHCP portal authentication on the portal service backup interface.
In stateful failover mode, if a user on either device is logged out, information about the user on the other device is deleted, too. You can log off a user on the device or on the portal server. For example, you can use the cut connection and portal delete-user commands on the device to log off users.
The AAA and portal configuration must be consistent on the two devices that back up each other. For example, you must configure the same portal server on the two devices.
Configuration procedure
To configure stateful failover:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Specify the portal group to which the portal service backup interface belongs. | portal backup-group group-id | By default, the portal service backup interface does not belong to any portal group. The portal service backup interfaces on the two devices for stateful failover must belong to the same portal group. |
4. Return to system view. | quit | N/A |
5. Specify the device ID in stateful failover mode. | nas device-id device-id | By default, the device operates in stand-alone mode, and thus has no device ID configured. For more information about the command, see Security Command Reference. |
6. Specify a backup source IP address for outgoing RADIUS packets. |
| Optional. Use either approach. By default, no backup source IP address is specified. You do not need to specify the backup source IP address if the device uses the virtual IP address of the VRRP group to which the uplink belongs as the source IP address of outgoing RADIUS packets. For more information about the command, see Security Command Reference. |