140
The Extensible Authentication Protocol (EAP) supports several digital certificate-based
authentication methods, for example, EAP-TLS. Working together with EAP, portal authentication
can implement digital certificate-based user authentication.
Figure 42 Portal support for EAP working flow diagram
As shown in Figure 42, the authentication client and the portal authentication server exchange EAP
authentication packets. The portal authentication server and the access device exchange portal
authentication packets that carry the EAP-Message attributes. The access device and the RADIUS
server exchange RADIUS packets that carry the EAP-Message attributes. The RADIUS server that
supports the EAP server function processes the EAP packets encapsulated in the EAP-Message
attributes, and provides the EAP authentication result.
The access device does not process but only transports EAP-Message attributes between the portal
authentication server and the RADIUS server. Therefore, the access device requires no additional
configuration to support EAP authentication.
NOTE:
• To use portal authentication that supports EAP, the portal authentication server and client must be the HPE
IMC portal server and the HPE iNode portal client.
• Local portal authentication does not support EAP authentication.
Portal authentication process
Direct authentication and cross-subnet authentication share the same authentication process.
Re-DHCP authentication has a different process as it has two address allocation procedures.
Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication)
Figure 43 Direct authentication/cross-subnet authentication process
The direct/cross-subnet authentication process is as follows:
1. A portal user access the Internet through HTTP, and the HTTP packet arrives at the access
device.
{ If the packet matches a portal free rule, the access device allows the packet to pass.
AAA server
Authentication
client
Portal
authentication
server
Access
device
1) Initiate a connection
3) CHAP authentication
4) Authentication request
6) Authentication reply
5) RADIUS
authentication
7) Notify login
success
8) Authentication reply
acknowledgment
Security
policy server
10) Authorization
Timer
9) Security check
Portal Web
server
2) User information
To Next Page
Loading...
Need help?
General