Portal packet filtering rules
The access device uses portal packet filtering rules to control user traffic forwarding on a portal-enabled interface or service template.
Based on the configuration and authentication status of portal users, the device generates the following categories of portal packet filtering rules:
First category—The rule permits user packets that are destined for the portal Web server and packets that match the portal-free rules to pass through.
Second category—For an authenticated user with no ACL authorized, the rule allows the user to access any destination network resources. For an authenticated user with an ACL authorized, the rule allows users to access resources permitted by the ACL. The device adds the rule when a user comes online and deletes the rule when the user goes offline.
Third category—The rule redirects all HTTP requests from unauthenticated users to the portal Web server.
Fourth category—For direct authentication and cross-subnet authentication, the rule forbids any user packets to pass through. For re-DHCP authentication, the device forbids user packets with private source addresses to pass.
After receiving a user packet, the device compares the packet against the filtering rules from the first category to the fourth category. Once the packet matches a rule, the matching process completes.