124
NOTE:
fter a user is added to the authorized VLAN or Auth-Fail VLAN, the IP address of the client needs to be
automatically or manually updated to make sure that the client can communicate with the hosts in the
LAN.
Assignment of authorized ACLs
The device can use ACLs to control user access to network resources and limit user access rights. With
authorized ACLs specified on the authentication server, when a user passes authentication, the
authentication server assigns an authorized ACL for the user, and the device filters traffic from the user on
the access port according to the authorized ACL. You must configure the authorized ACLs on the access
device if you specify authorized ACLs on the authentication server. To change the access right of a user,
specify a different authorized ACL on the authentication server or change the rules of the corresponding
authorized ACL on the device.
Layer 3 portal authentication process
Direct authentication and cross-subnet authentication share the same authentication process, while
re-DHCP authentication has a different process because of the presence of two address allocation
procedures.
Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication)
Figure 40 Direct authentication/cross-subnet authentication process
The direct authentication/cross-subnet authentication takes the following procedure:
1. An authentication client initiates authentication by sending an HTTP request. When the HTTP
packet arrives at the access device, the access device allows it to pass if it is destined for the portal
server or a predefined free website, or redirects it to the portal server if it is destined for other
websites. The portal server pushes a Web authentication page to the user and the user enters the
username and password.
2. The portal server and the access device exchange Challenge Handshake Authentication Protocol
(CHAP) messages. For Password Authentication Protocol (PAP) authentication, this step is skipped.