Configuration prerequisites – H3C Technologies H3C S3100 Series Switches User Manual

1-3

z

Before enabling global Web authentication, you should first set the IP address of a Web

authentication server.

z

Do not add a Web authentication enabled port to a port aggregation group and do not enable Web

authentication on a port that is in a port aggregation group.

z

You can make Web authentication settings on individual ports before Web authentication is

enabled globally, but they will not take effect. The Web authentication settings on ports take effect

immediately once you enable Web authentication globally.

z

A Web authentication client and the switch with Web authentication enabled must be able to

communicate at the network layer so that the Web authentication page can be displayed on the

Web authentication client.

z

Web authentication is mutually exclusive with functions that depend on ACLs such as IP filtering,

ARP intrusion detection, QoS, and port binding.

z

After a user gets online in shared access method, if you configure an authentication-free user

whose IP address and MAC address are the same as those of the online user, the online user will

be forced to get offline.

z

You can use the web-authentication select method extended command to enable Web

authentication on a hybrid port.

Configuring an Auth-Fail VLAN for Web Authentication

In some cases, it is required to allow clients failing Web authentication to access network resources

such as the virus definitions upgrade server. You can configure a Web authentication Auth-Fail VLAN to

meet such requirements.

A Web authentication Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or MAC-based

Auth-Fail VLAN (MAFV), depending on the VLAN assignment mode:

z

PAFV

In this mode, if a user on a port fails Web authentication, the port will be added to the Auth-Fail VLAN,

allowing all users on the port to access resources in the Auth-Fail VLAN.

z

MAFV

MAFV on a port requires cooperation of the MAC VLAN function on the port. When a user on the port

fails Web authentication, the MAC address of the user will be bound with the Auth-Fail VLAN, and the

user can access only the resources in the Auth-Fail VLAN.

Configuration Prerequisites

z

Enable Web authentication globally.

z

Create the VLAN to be configured as the Auth-Fail VLAN.

z

Configure the port as a hybrid port.

z

Enable Web authentication on the port and set the Web authentication access method on the port

to extended.