Configuration restrictions and guidelines
When you enable portal authentication on an interface, follow these restrictions and guidelines:
Make sure the interface has a valid IP address before you enable re-DHCP portal authentication on the interface.
Do not add the Ethernet interface enabled with portal authentication to an aggregation group. Otherwise, portal authentication does not take effect.
Cross-subnet authentication mode (layer3) does not require Layer 3 forwarding devices between the access device and the portal authentication clients. However, if a Layer 3 forwarding device exists between the authentication client and the access device, you must use the cross-subnet portal authentication mode.
With re-DHCP portal authentication, configure authorized ARP on the interface as a best practice to make sure only valid users can access the network. With authorized ARP configured on the interface, the interface learns ARP entries only from the users who have obtained a public address from DHCP.
For successful re-DHCP portal authentication, make sure the BAS-IP/BAS-IPv6 attribute value is the same as the device IP or IPv6 address specified on the portal authentication server. To configure the BAS-IP/BAS-IPv6 attribute, use the portal { bas-ip | bas-ipv6 } command.
An IPv6 portal server does not support re-DHCP portal authentication.
You can enable both IPv4 portal authentication and IPv6 portal authentication on an interface.
When you enable portal authentication on a service template, follow these restrictions and guidelines:
Only direct portal authentication is supported on the service template.
When local forwarding is used in wireless networks, enable validity check on wireless clients.