Portal filtering rules
The access device uses portal filtering rules to control user traffic forwarding.
Based on the configuration and authentication status of portal users, the device generates the following categories of portal filtering rules:
First category—The rule permits user packets that are destined for the portal Web server and packets that match the portal-free rules to pass through.
Second category—For an authenticated user with no ACL authorized, the rule allows the user to access any destination network resources. For an authenticated user with an ACL authorized, the rule allows users to access resources permitted by the ACL. The device adds the rule when a user comes online and deletes the rule when the user goes offline.
The device supports the following types of authorization ACLs:
Basic ACLs (ACL 2000 to ACL 2999).
Advanced ACLs (ACL 3000 to ACL 3999).
Layer 2 ACLs (ACL 4000 to ACL 4999).
For an authorization ACL to take effect, make sure the following requirements are met:
The ACL exists and has ACL rules.
Basic ACL rules do not have the fragment or vpn-instance keyword configured.
Layer 2 ACL rules do not have the cos, dest-mac, lsap, or source-mac keyword configured.
Third category—The rule redirects all HTTP or HTTPS requests from unauthenticated users to the portal Web server.
Fourth category—For direct authentication and cross-subnet authentication, the rule forbids any user packets to pass through. For re-DHCP authentication, the device forbids user packets with private source addresses to pass.
After receiving a user packet, the device compares the packet against the filtering rules from the first category to the fourth category. Once the packet matches a rule, the matching process completes.