Configuring User-defined Portal Authentication

This section describes how to configure user-defined Portal authentication.

Context

By default, the FW uses port 8887 to provide the built-in local Portal authentication page. Users can proactively access the page (https://interface IP address:8887) for local Portal authentication, or the HTTP requests of users are redirected to the page for local Portal authentication.

When an enterprise deploys an external Portal server for user authentication, user-defined Portal authentication needs to be configured.

Procedure

Choose Object > User > Authentication Option > User-defined Portal.

Configure user-defined Portal authentication parameters.

Parameter	Description
Portal Authentication Template Except Emergency Channel, all Portal authentication template-related configurations take effect for the two types of user-defined Portal authentication.
Portal Authentication Template	When an external Portal server is used for user authentication, enable the Portal authentication template.
Portal Authentication Template Name	Enter the Portal authentication template name. A maximum of five Portal authentication template names can be set.
Portal Server URL	Set the Portal authentication page URL.
Push Information to the Portal Server	If the Portal server needs to interwork with the FW to exchange data, enable the FW to push information to the Portal server. After the function of pushing information to the Portal server is enabled, the FW automatically adds the default parameters in the Portal server URL before pushing the URL to the Portal server for Portal authentication. The Portal server extracts information from the URL. For example, the Portal server URL is https://example.com. When the FW adds the default parameters, the Portal server URL is changed to https://example.com?fwname=TH-FW1&fwip=0.0.0.0&pagetype=login&esn=21023595120123456789&url=http://www.example0.com/&userip=1.1.1.1. The FW pushes the modified URL to the Portal server. The default parameter in the URL is described as follows (the value of each parameter is automatically filled in by the FW): fwname: indicates the name of the FW that a user accesses. fwip: IP address of the FW for receiving messages from the portal server. The FW is identified by the IP address. pagetype: indicates the Portal page type. esn: indicates the ESN of the FW. url: indicates the accessed URL before user authentication. userip: indicates the user IP address.
URL parameters	If the Portal server can interwork with the FW in case of default parameters in the Portal server URL, you do not need to set URL parameters. Otherwise, set parameters in the Portal server URL for the Portal server to interwork with the FW. The configurable parameters are as follows: ESN name: specifies the device ESN in the Portal server URL and sets the parameter name indicating the ESN. IP address name: specifies the user IP address in the Portal server URL and sets the parameter name indicating the user IP address. MAC address name: specifies the user MAC address in the Portal server URL and sets the parameter name indicating the user MAC address. MAC address format: specifies the format of the user MAC address. MAC address separative signal: specifies the delimiter of the user MAC address. Access interface name: specifies the interface of the FW that users access in the Portal server URL and sets the interface name. Redirection URL name: specifies the accessed URL before user authentication in the URL of the Portal server and sets the parameter name indicating the pre-authentication URL. As long as one or more parameters in URL parameters are set, the FW adds configured parameters in the Portal server URL, but no default parameter. For example, if the ESN is configured, the Portal server URL carries only the ESN.
NTLM Authentication	In an AD domain authentication environment where NTLM authentication is enabled, if a user that already logs in to the AD domain accesses the Internet through the browser, the user no longer needs to enter the user name or password. FW serves as the NTLM authentication proxy, triggers NTLM authentication between the browser and AD server, transfers NTLM authentication messages, and obtains the user ID in the authentication process. In NTLM authentication, the FW does not prompt a portal authentication page for entering the user name and password. This process, however, involves redirection for authentication. Therefore, you must configure the Portal server URL, namely, https://interface IP address:8887. NOTE: In a scenario where the user accesses the Internet through a proxy server, the FW does not support NTLM authentication. NTLM authentication applies only to HTTP (port 80) traffic. A prerequisite of NTLM authentication is that the browser must support NTLM authentication. Otherwise, the browser cannot automatically provide user login information. At present, IE and Chrome support NTLM authentication. However, you must enable automatic logon in Internet Options. In the Internet Options dialog box, click the Security tab and then Custom level. Click Automatic logon with current user name and password in User Authentication > Logon.
AD Server IP Address	Enter the AD server IP address and port used in NTLM authentication. Usually, set the port value to 445.
Emergency Channel	With the emergency channel function, the FW does not push the user-defined Portal authentication page to users when it detects that the Portal server is Down. To be specific, the FW does not authenticate users, and users can directly access network resources. The parameter takes effect for user-defined Portal authentication for user authentication that the FW participates in. When setting Emergency Channel, you must set Server Probe.
Portal2.0 protocol parameters Portal2.0 protocol parameters take effect only for method 2: The FW participates in user-defined Portal authentication for user authentication.
Portal2.0 Protocol	When the FW participates in the user-defined Portal authentication of user authentication, Portal2.0 needs to be enabled. When user-defined Portal authentication is used, the Portal server and FW uses Portal2.0 to communicate.
Portal Server IP Address: Port	Set the IP address and port of the Portal server. Default port 50100 is used for general use.
Shared Key	Set the shared key used for the communication between the FW and the Portal server. This key is used by the FW and the Portal server to encrypt transmitted packets.
Server Probe	If the communication between the FW and Portal server is interrupted due to a network fault or a fault in the Portal server, users cannot go online. The server probe function enables the FW to report faults through logs in case of a network fault or Portal server failure. When setting Server Probe, you are advised to set Emergency Channel so that users can properly access network resources even when the Portal server is Down.
Probe Interval	Set the interval at which the FW detects the Portal server. For example, if the parameter is set to 60s, the FW detects the Portal server every 60s.
Probe Retry Counts	Set the maximum number of Portal server detection failures. If the number of times that the FW fails to detect the Portal server exceeds the maximum value, the Portal server status changes from Up to Down.
Fault Report Log	After you set this parameter, the FW sends log information when it detects that the Portal server is Down.
User Information Synchronization	If the communication between the FW and Portal server is interrupted due to a network fault or a fault in the Portal server, online users on the FW cannot log out properly, causing user information on the FW to be inconsistent with that on the Portal server. The user information synchronization function ensures that the user information on the FW is consistent with that on the Portal server.
Synchronization Period	Set the period during which the FW synchronizes user information.
Synchronization Counts	Set the maximum number of times that the FW fails to synchronize user information. During user information synchronization, if the FW detects that the Portal server does not have information on a user but the FW has the information on the user, the FW does not immediately force the user to go offline. Instead, the FW forces the user to go offline only when the Portal server does not have the information on the user even after Synchronization Counts after the number of times that the FW fails to synchronize user information reaches the maximum value.
Listening Port	Set the number of the port on which the FW listens to Portal2.0 packets.
MAC Address-prioritized Portal Authentication
MAC Address-prioritized Portal Authentication	If The FW participates in user-defined Portal authentication for user authentication and MAC Address-prioritized Portal Authentication are combined, enable MAC address-prioritized portal authentication.
Authentication Interface	Set the interface connecting the FW to the user zone. This interface is used to provide the MAC address-prioritized portal authentication function. When this interface receives HTTP service flows from the user, if the user is not online or the mapping between the user IP address and MAC address changes, the FW sends a MAC authentication request to the Agile Controller. This interface must be a Layer 2 physical interface or a Layer 2 Eth-Trunk interface.
Authentication Domain	Set the authentication domain for MAC address-prioritized portal authentication. The configuration of this authentication domain will be used when the FW sends a MAC authentication request to the Agile Controller.
Authentication Timeout Period	If the Agile Controller does not respond to the MAC authentication request from the FW, the FW pushes the portal authentication page to the user.

Click Apply.