Configuring an authentication source subnet

By configuring authentication source subnets, you specify that only HTTP or HTTPS packets from users on the authentication source subnets can trigger portal authentication. If an unauthenticated user is not on any authentication source subnet, the access device discards all the user's HTTP or HTTPS packets that do not match any portal-free rule.

Authentication source subnets apply only to cross-subnet portal authentication.

In direct or re-DHCP portal authentication mode, a portal user and its access interface (portal-enabled) are on the same subnet. It is not necessary to specify the subnet as the authentication source subnet.

• In direct mode, the access device regards the authentication source subnet as any source IP address.

• In re-DHCP mode, the access device regards the authentication source subnet on an interface as the subnet to which the private IP address of the interface belongs.

If both authentication source subnets and destination subnets are configured on an interface, only the authentication destination subnets take effect.

You can configure multiple authentication source subnets. If the source subnets overlap, the subnet with the largest address scope (with the smallest mask or prefix) takes effect.

1. Enter system view.

   system-view

2. Enter Layer 3 interface view.

   interface interface-type interface-number

3. Configure a portal authentication source subnet.

   IPv4:

   portal layer3 source ipv4-network-address { mask-length | mask }

   By default, users from any subnets must pass portal authentication.

   IPv6:

   portal ipv6 layer3 source ipv6-network-address prefix-length

   By default, users from any subnets must pass portal authentication.