Enabling portal authentication on an interface
Restrictions and guidelines
When you enable portal authentication on an interface, follow these restrictions and guidelines:
Cross-subnet authentication mode (layer3) does not require Layer 3 forwarding devices between the access device and the portal authentication clients. However, if a Layer 3 forwarding device exists between the authentication client and the access device, you must use the cross-subnet portal authentication mode.
You can enable both IPv4 portal authentication and IPv6 portal authentication on an interface.
When you configure re-DHCP portal authentication on an interface, follow these restrictions and guidelines:
Make sure the interface has a valid IP address before you enable re-DHCP portal authentication on the interface.
With re-DHCP portal authentication, configure authorized ARP on the interface as a best practice to make sure only valid users can access the network. With authorized ARP configured on the interface, the interface learns ARP entries only from the users who have obtained a public address from DHCP.
For successful re-DHCP portal authentication, make sure the BAS-IP or BAS-IPv6 attribute value is the same as the device IP address specified on the portal authentication server. To configure the attribute, use the portal { bas-ip | bas-ipv6 } command.
An IPv6 portal server does not support re-DHCP portal authentication.
Procedure
Enter system view.
system-view
Enter Layer 3 interface view.
interface interface-type interface-number
Enable portal authentication.
IPv4:
portal enable method { direct | layer3 | redhcp }
IPv6:
portal ipv6 enable method { direct | layer3 }
By default, portal authentication is disabled.