At a certain site, S6805-56HF-G wired portal allows internet access even without online portal users analysis

Wired portal remote authentication integrated with IMC

Partial configuration is as follows

interface Vlan-interface22

ip address 10.1.1.1  255.255.255.0

dhcp server apply ip-pool 22

portal enable method direct

portal domain portal

portal bas-ip 10.1.1.1

portal apply web-server newpt

portal apply mac-trigger-server mac

portal mac-trigger-server mac

ip 10.2.2.2

free-traffic threshold 1024

After the first successful authentication, delete the portal representation on the device and the non-perception and portal representation on imc. It is found that there are no portal users, and re-authentication is not required. Internet access is still possible.

<BL_10F_HX_S6805-G_01_02>display  portal  user  interface  Vlan-interface  22

Total portal users: 0

display  arp 10.5.20.77

  Type: S-Static   D-Dynamic   O-Openflow   R-Rule   M-Multiport  I-Invalid

IP address      MAC address    VLAN/VSI name Interface                Aging Type

10.5.20.77      7032-17e7-a41e 22            XGE1/0/26                1171  D  

Found that this IP 10.5.20.77 has an underlying ACL-delivered portal user representation

[sw-probe]display  hardware internal  qacl show  acl-resc slot 1 chip  0 

---------------Qacl Group UsedResc Info---------------

Acl Hw Block: IACL 0

======================================================

  GroupType: SYSTEM 

  ----------------------------------------------------

    acl type                   usedEntries 

    [384]CROSS VPN PERMIT            2   

    [174]AVOID DROP MATCH            1   

    [ 21]RX IPv4 Middle High         1   

    [ 25]RX Low                      8   

    [175]AVOID DROP MATCH ON USER ACL        1   

Acl Hw Block: IACL 3

======================================================

  GroupType: SEC 

  ----------------------------------------------------

    acl type                   usedEntries 

    [ 40]Portal Free                 27  

    [ 41]Portal User                 16  

    [ 43]Portal Redirect             6   

    [ 45]Portal Deny                 3   

Acl Hw Block: EACL 0

{sw-probe]display  hardware internal  qacl show   slot 1 chip  0 verbose 41

===============================================

Acl-Type[41] Portal User, block IACL 3, Global, Installed, Active

Prio 0x12800000, Group 1, Expand to 1 Sdk Entry(ies):

Sdk Entries --------

        Key Type: Flex Key[35], Double

        Entry Id: 64, Global

Rule Match --------

        Source mac: 7032-17E7-A41E, FFFF-FFFF-FFFF 

Outer Vlan: 0x16, 0xfff // 0x16 is hexadecimal, converted to decimal is 22

        IP Type: Ipv4 packet

        Source IP: 10.5.20.77, 255.255.255.255 

        ISHG: 0

Actions --------

        Permit 

acknowledged

The switch uses hardware forwarding and software statistics fail to capture traffic. Configuring free traffic will cause continuous allowance

ortal mac-trigger-server mac

ip 10.2.2.2.

free-traffic threshold 1024

After deleting free-traffic threshold 1024, the ACL entries still remain

Try reconfiguring portal or probe view, process restart name portald all to reset the portal process

ACL entries were not reset

After rebooting the device, the ACL entries disappeared, and authentication returned to normal