某局点WX3510H本地Portal限制登录数失败问题处理经验案例

某局点使用WX3510H做无线Portal，因为用户数较少，考虑到成本的关系，使用本地Portal认证，客户希望Portal用户易于管理，建议一个账号只能由一个客户端登录，所以在local-user下使用access-limit 1来限制用户的登录，但是发现并没有生效。

无

1.查看用户的登录情况，发现确实一个账号有两个用户在登录，而且能够正常上网

[AC]dis portal user username exingsi
Username: exingsi
  Portal server: N/A
  State: Online
  VPN instance: N/A
  MAC             IP                    VLAN    Interface                      
  9492-bc8d-c66b  192.168.20.4          20      Vlan-interface20               
  Authorization information:
    DHCP IP pool: N/A
    User profile: N/A
    Session group profile: N/A
    ACL number: N/A
    Inbound CAR: N/A
    Outbound CAR: N/A

Username: exingsi
  Portal server: N/A
  State: Online
  VPN instance: N/A
  MAC             IP                    VLAN    Interface                      
  70ec-e48e-df7d  192.168.20.1          20      Vlan-interface20               
  Authorization information:
    DHCP IP pool: N/A
    User profile: N/A
    Session group profile: N/A
    ACL number: N/A
    Inbound CAR: N/A
    Outbound CAR: N/A

2.检查现场的相关配置

[AC]dis cu      
#
 version 7.1.064, Release 5121P32
#
 sysname AC
#
interface Vlan-interface20
 ip address 192.168.23.253 255.255.252.0
 portal enable method direct
 portal domain system
 portal apply web-server localportal
#
wlan service-template 1
 description Wifi-Teacher
 ssid HASSX
 vlan 20
 service-template enable
#
interface Vlan-interface20
 ip address 192.168.23.253 255.255.252.0
 portal enable method direct
 portal domain system
 portal apply web-server localportal
#
domain system
#             
 domain default enable system
#
local-user admin class manage
 password hash $h$6$XPoMrWcQRGN8dgJN$M8MgWKxL/9LrBnqxZHOlm+TVHWcWja/s/kuVd0d4QPyVVnYWiuk+pweePvEcxTVMKfMrQYzGdQM2XbR5OdneNg==
 service-type telnet http https
 authorization-attribute user-role network-admin
#
local-user exingsi class network
 password cipher $c$3$xrwxxfgDSxWhjdwvRJ6vBMOLpe859peefho=
 access-limit 1
 service-type portal
 authorization-attribute user-role network-operator            
#
 portal host-check enable
 portal free-rule 0 source ip any destination ip 114.114.114.114 255.255.255.255
 portal free-rule 1 source ip 114.114.114.114 255.255.255.255 destination ip any
 portal free-rule 2 source ip any destination ip 172.16.0.2 255.255.255.255
 portal free-rule 3 source ip 172.16.0.2 255.255.255.255 destination ip any
 portal free-rule 4 source interface GigabitEthernet1/0/1
 portal free-rule 5 source ip 192.168.23.253 255.255.255.255 destination ip any
 portal free-rule 6 source ip any destination ip 192.168.23.253 255.255.255.255
#
portal web-server localportal
 url http://172.X.X.2/portal
 url-parameter wlanuserip source-address
#
portal local-web-server http
 default-logon-page defaultfile.zip
 
#
portal mac-trigger-server local
 free-traffic threshold 1024
 local-binding enable
#

查看相关手册，access-limit命令用来设置使用当前本地用户名接入设备的最大用户数，使用限制是

本地用户视图下的access-limit命令只在该用户采用了本地计费方法的情况下生效。

查看domain的本地计费，发现默认也是本地。

<AC2>dis domain
Total 1 domains

Domain: system
  State: Active
  Default authentication scheme:  Local
  Default authorization  scheme:  Local
  Default accounting     scheme:  Local
  Accounting start failure action: Online
  Accounting update failure action: Online
  Accounting quota out action: Offline
  Service type: HSI
  Session time: Exclude idle time
  DHCPv6-follow-IPv6CP timeout: 60 seconds
  Authorization attributes:
    Idle cut: Disabled
    Session timeout: Disabled
    IGMP access limit: 4
    MLD access limit: 4

经确认，这种本地Portal认证对于登录用户进行限制需要在相应的认证域里面配置accounting start-fail offline才可以生效。accounting start-fail命令用来配置用户计费开始失败策略，即设备向计费服务器发送计费开始请求失败后，是否允许用户接入网络。认证域下添加accounting start-fail  offline命令，如果用户计费开始失败，不允许用户保持在线状态。

后续如果本地认证的情况需要对一个账号的登录数进行限制需要在相应的域里面配置该命令。