112
The Extensible Authentication Protocol (EAP) supports several digital certificate-based authentication
methods, for example, EAP-TLS. Working together with EAP, portal authentication can implement digital
certificate-based user authentication.
Figure 35 Portal support for EAP working flow diagram
As shown in Figure 40, the authentication client and the portal server exchange EAP authentication
packets. The portal server and the access device exchange portal authentication packets that carry the
EAP-Message attributes. The access device and the RADIUS server exchange RADIUS packets that carry
the EAP-Message attributes. The RADIUS server that supports the EAP server function processes the EAP
packets encapsulated in the EAP-Message attributes, and provides the EAP authentication result. During
the whole EAP authentication process, the access device does not process the packets that carry the
EAP-Message attributes but only transports them between the portal server and the RADIUS server.
Therefore, no additional configuration is needed on the access device.
NOTE:
• To use portal authentication that supports EAP, the portal server and client must be the HP iMC portal
server and the HP iNode portal client.
• Only Layer 3 portal authentication that uses a remote portal server supports EAP authentication.
Layer 2 portal authentication process
Figure 36 Local Layer 2 portal authentication process
Local Layer 2 portal authentication takes the following procedure:
1. The portal authentication client sends an HTTP request. Upon receiving the HTTP request, the
access device redirects it to the listening IP address of the local portal server, which then pushes a
web authentication page to the authentication client. The user types the username and password
on the web authentication page. The listening IP address of the local portal server is the IP address
of a Layer 3 interface on the access device that can communicate with the portal client. Usually, it
is a loopback interface's IP address.
2. The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
3. If the user passes RADIUS authentication, the local portal server pushes a logon success page to
the authentication client.
Authorized VLAN
Layer 2 portal authentication supports VLAN assignment by the authentication server. After a user passes
portal authentication, if the authentication server is configured with an authorized VLAN for the user, the
To Next Page
Loading...
