某局点使用WX3510H做无线Portal,因为用户数较少,考虑到成本的关系,使用本地Portal认证,客户希望Portal用户易于管理,建议一个账号只能由一个客户端登录,所以在local-user下使用access-limit 1来限制用户的登录,但是发现并没有生效。
无
1.查看用户的登录情况,发现确实一个账号有两个用户在登录,而且能够正常上网
[AC]dis portal user username exingsi
Username: exingsi
Portal server: N/A
State: Online
VPN instance: N/A
MAC IP VLAN Interface
9492-bc8d-c66b 192.168.20.4 20 Vlan-interface20
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Username: exingsi
Portal server: N/A
State: Online
VPN instance: N/A
MAC IP VLAN Interface
70ec-e48e-df7d 192.168.20.1 20 Vlan-interface20
Authorization information:
DHCP IP pool: N/A
User profile: N/A
Session group profile: N/A
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
2.检查现场的相关配置
[AC]dis cu
#
version 7.1.064, Release 5121P32
#
sysname AC
#
interface Vlan-interface20
ip address 192.168.23.253 255.255.252.0
portal enable method direct
portal domain system
portal apply web-server localportal
#
wlan service-template 1
description Wifi-Teacher
ssid HASSX
vlan 20
service-template enable
#
interface Vlan-interface20
ip address 192.168.23.253 255.255.252.0
portal enable method direct
portal domain system
portal apply web-server localportal
#
domain system
#
domain default enable system
#
local-user admin class manage
password hash $h$6$XPoMrWcQRGN8dgJN$M8MgWKxL/9LrBnqxZHOlm+TVHWcWja/s/kuVd0d4QPyVVnYWiuk+pweePvEcxTVMKfMrQYzGdQM2XbR5OdneNg==
service-type telnet http https
authorization-attribute user-role network-admin
#
local-user exingsi class network
password cipher $c$3$xrwxxfgDSxWhjdwvRJ6vBMOLpe859peefho=
access-limit 1
service-type portal
authorization-attribute user-role network-operator
#
portal host-check enable
portal free-rule 0 source ip any destination ip 114.114.114.114 255.255.255.255
portal free-rule 1 source ip 114.114.114.114 255.255.255.255 destination ip any
portal free-rule 2 source ip any destination ip 172.16.0.2 255.255.255.255
portal free-rule 3 source ip 172.16.0.2 255.255.255.255 destination ip any
portal free-rule 4 source interface GigabitEthernet1/0/1
portal free-rule 5 source ip 192.168.23.253 255.255.255.255 destination ip any
portal free-rule 6 source ip any destination ip 192.168.23.253 255.255.255.255
#
portal web-server localportal
url http://172.X.X.2/portal
url-parameter wlanuserip source-address
#
portal local-web-server http
default-logon-page defaultfile.zip
#
portal mac-trigger-server local
free-traffic threshold 1024
local-binding enable
#
查看相关手册,access-limit命令用来设置使用当前本地用户名接入设备的最大用户数,使用限制是
本地用户视图下的access-limit命令只在该用户采用了本地计费方法的情况下生效。
查看domain的本地计费,发现默认也是本地。
<AC2>dis domain
Total 1 domains
Domain: system
State: Active
Default authentication scheme: Local
Default authorization scheme: Local
Default accounting scheme: Local
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out action: Offline
Service type: HSI
Session time: Exclude idle time
DHCPv6-follow-IPv6CP timeout: 60 seconds
Authorization attributes:
Idle cut: Disabled
Session timeout: Disabled
IGMP access limit: 4
MLD access limit: 4
经确认,这种本地Portal认证对于登录用户进行限制需要在相应的认证域里面配置accounting start-fail offline才可以生效。accounting start-fail命令用来配置用户计费开始失败策略,即设备向计费服务器发送计费开始请求失败后,是否允许用户接入网络。认证域下添加accounting start-fail offline命令,如果用户计费开始失败,不允许用户保持在线状态。
后续如果本地认证的情况需要对一个账号的登录数进行限制需要在相应的域里面配置该命令。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作