User Access Manager Help >> Operation Guide >> User Access Policy >> Portal Service >> Portal Device >> Configure Port Group

Configure Port Group

This function helps you configure information about the ports of an access device. You can divide the ports of a device into multiple groups so that the ports in each group use the same Portal processing policies.

Functions

• Add/Modify Port Group
• Delete Port Group
• Query Port Groups

Precautions

• After configuring a port group, you need to click Validate in the navigation tree to validate your configuration.
• Web Identity AuthN does not support IP reallocation.
• If you have configured the same IP group for multiple port groups of the device; however, the port ranges of these port groups can not overlap.
• System name of an access device contains only the following characters: [A,Z][a,z][0,9]{-_.@}.
• You must set the heartbeat interval and the heartbeat timeout to 0 only when you use the Web Identity AuthN and cannot keep the heartbeat (for example, you cannot keep the heartbeat window on some handset terminals’ browsers that support only one task and one window). To log out, you must open the authentication page again, and click Log Out. If you do not actively log out, deadlock may occur. To avoid deadlock, you must configure idle disconnection on the access device. In any other case, do not set the heartbeat interval and heartbeat timeout to 0.
• When IP address reallocation is enabled on the portal device, endpoint users must use iNode PCs or iNode DCs for network access.

Parameters

Basic Information
• Port Group Name: name of the port group. It cannot be identical with that of any existing port group on any Portal device.
• Authentication Type: The available options are PAP, CHAP and EAP. The EAP authentication type is not available for web page authentication, iNode DC authentication, and smart device transparent authentication.
• Transparent Authentication: Enable transparent authentication. Transparent authentication allows endpoint users to complete portal authentication on the Web page by using intelligent endpoints, such as smartphones. The portal gateway forcibly pushes the authentication page only at the first authentication. An endpoint user has to enter the username and the password on the authentication page. When the first authentication succeeds, the portal server binds the MAC address of the intelligent endpoint with the user and service configuration in UAM. If the intelligent endpoint accesses the network again, the portal gateway and portal server automatically match the MAC address of the intelligent endpoint with the user in UAM. Portal authentication is finished automatically. The portal gateway does not forcibly push the authentication page any more. The endpoint user does not have to enter the username and the password again. In this way, transparent authentication for intelligent endpoints is realized. This feature takes effect only when the device supports it.
• IP Group: IP address group for this port group. If you select Yes for the NAT attribute, you must select a public network IP address group for this port group.
• Page Push Policy:Select a page push policy for which UAM will redirect the user's portal requests to the corresponding login page. If the page push policy is empty or has no login page configured, the user's portal requests are redirected to the default login page.
• Default Authentication Page: Specifies the authentication page for portal users. UAM lists the system-defined authentication pages as well as the portal pages customized for PCs and smartphones on the User > User Access Policy > Customize Terminal Pages > Portal Page page. The system-defined authentication pages are as follows:
  1. Default Web Login (PC): This is the default Web authentication page for PCs. This option is default value.
  2. Default Web Login (PAD): This is a Web authentication page for all smart terminals that have medium-sized screens, such as iPads.
  3. Default Web Login (PDA): This is a Web authentication page for early mobile digital devices such as PDAs.
  4. Default Web Login (Phone): This is the default Web authentication page for smartphones.
  5. Default Web Guest Authentication: The authentication page provides guest sign-in through SMS messages. The function is also provided on the SMS Message Registration and Authentication pages, which are optimal for smart devices.
  6. Default iNode DC Login (PC): This is an iNode DC authentication page for PCs. This page is available only when the iNode DC component is installed.
  7. Default Third Party Login: The page enables the user to switch between the Intranet and Internet. The switch function does not support popup windows.
  8. Other Default Web Login (PC): The login page applies to all devices and has a different layout than the default Web authentication page.
  9. QR Code Registration and Authentication: When this page is accessed, UAM automatically creates a preregistered guest account. When the account is registered in a specific time interval, portal authentication is automatically triggered on the page.
  10. SMS Message Registration and Authentication (PC): This page allows a guest account to be registered and authenticated through an SMS message. It applies to endpoints that have large screens, such as PCs and tablets.
  11. SMS Message Registration and Authentication (Phone): This page allows a guest account to be registered and authenticated through an SMS message. It applies to endpoints such as smart phones, which have small screens.


Advanced Information
• Start Port/End Port: Specifies the start port and end port of the port group on the device. If the access port of a portal user is not in the range defined by the start port and end port, the portal user cannot access the network. By default, the start port is 0 and the end port is zzzzzz. It is recommended to use the default settings unless there are special requirements. The start/end port format varies by device model. For example, on a MA5200, the format is hostname-vlan-slot(**)-vlanid(****)@vlan. To specify the start port and end port in INC, refer to the port format description in the device configuration manual. Before comparing the ports, the system first pads space to the end of the start port, end port, and the comparison port (the port to be compared), making these ports have the same length. For example, if the start port is 0, end port is zzz, and comparison port is zzyc, after padded with space, they are 0|_||_||_|, zzz|_|, and zzyc respectively. A port is compared in ASCII format. The ASCII characters of a port are matched against those of the start and end ports from high to low (in dictionary order).
  1. If the first high order character equals to those of the start and end ports, the first high order character is ignored, the second high order characters will be compared, and so on until a character of the port matches the specified port range or the last character is compared.
  2. If the first high order character:
  
  1) Is between those of the start and end ports, the port is considered belonging to the port group.
  2) Equals to that of the start port or end port, the second high order characters will be compared.
  3) Belongs to other cases, the port is considered not belonging to the port group.
  
  3. When the first high order character equals to that of the start port:
  
  1) If the second high order character is greater than that of the start port, the port is considered belonging to the port group.
  2) If the the second high order character equals to that of the start port, the third high order characters will be compared, and so on until a character of the port matches the specified port range or the last character is compared.
  3) Otherwise the port is considered not belonging to the port group.
  
  4. When the first high order character equals to that of the end port:
  
  1) If the second high order character is less than that of the end port, the port is considered belonging to the port group.
  2) If the the second high order character equals to that of the end port, the third high order characters will be compared, and so on until a character of the port matches the specified port range or the last character is compared.
  3) Otherwise, the port is considered not belonging to the port group.
  
  5. When the last characters are compared and is between or equal to those of the start and end ports, the port is considered belonging to the port group. Otherwise, the port is considered not belonging to the port group.
  For example, suppose the start port is 0b and the end port is cz. Then, ports a, by, ca, cz, and cyz are all within the specified port range, whereas ports da and 0a are not.
• Protocol: The system supports HTTP and HTTPS.
• Quick Authentication: The system supports quick authentication. If you select Yes, a user does not need to type the username and password for authentication, instead it is authenticated based on the device port, MAC address or VLAN ID. If you select No, a user need to type the username and password. This attribute requires support from the device.
• NAT or Not: The system supports the Portal authentication for NAT users. If IP address reallocation is configured for the device, you must select No in this field. That is, the IP address reallocation and the NAT attributes are mutually exclusive. This attribute requires support from the device, and must be consistent for all the port groups that use the same IP address group.
• Error Transparent Transmission: If you select Yes, the system will send error messages returned from the device to the user. This attribute requires support from the device.
• Language: prompt language for users who access the network through this port group. Currently only English is supported.
• Client Protection Against Cracks: With this option enabled, UAM cooperates with the iNode client to prevent the client using the iNode Client Only service from being cracked in portal authentication. To use this function, add and validate iNode Management Center on the User>User Access Policy>Service Parameters>System Settings>Client Anti-Crack page.
• Heartbeat Interval: Controls the interval of the handshake between user and Portal Server. The value 0 means no heartbeat.
• Heartbeat Timeout: Controls the timeout value of the handshake between user and Portal Server. This value should at least double the heartbeat interval. The value 0 means no heartbeat. When the heartbeat interval is set to 0, you must set the heartbeat timeout to 0.
• User Domain: domain name corresponding to this port group. The domain name you configured here must be identical with that configured on the device; otherwise the user will fail the authentication on the device. If you specify a domain name here, the Portal Server automatically appends this domain name to the stand-alone username typed by a user in the login homepage. If no domain name is specified, the Portal Server directly passes the username to the device.
• Port Group Description: descriptive information about the port group.

Related Topics

• Portal Device
• Portal IP Address Group
• Page Push Policy