284
page, the logon failure page, and the system busy page. A local portal server pushes a
corresponding authentication page at each authentication phase. If you do not customize the
authentication pages, the local portal server pushes the default authentication pages. For
information about authentication page customization rules, see "Customizing authentication pages."
Portal authentication modes
Portal authentication can work at Layer 2 or Layer 3 of the OSI model.
Layer 2 portal authentication
The following matrix shows the feature and hardware compatibility:
Hardware Feature compatibility
MSR900 No
MSR93X No
MSR20-1X No
MSR20 No
MSR30
Supported only on MIM-FSW modules, MSR30-11E,
and MSR30-11F
MSR50 No
MSR1000 No
You can enable Layer 2 portal authentication on an access device's Layer 2 port that connects
authentication clients, so that only clients whose MAC addresses pass authentication can access the
external network. Only the local portal server provided by the access device supports Layer 2 portal
authentication.
Layer 3 portal authentication
You can enable Layer 3 authentication on an access device's Layer 3 interfaces that connect
authentication clients. Portal authentication performed on a Layer 3 interface can be direct
authentication, re-DHCP authentication, or cross-subnet authentication. In direct authentication and
re-DHCP authentication, no Layer 3 forwarding devices exist between the authentication client and
the access device. In cross-subnet authentication, Layer 3 forwarding devices might exist between
the authentication client and the access device.
• Direct authentication
Before authentication, a user manually configures a public IP address or directly obtains a
public IP address through DHCP, and can access only the portal server and predefined free
websites. After passing authentication, the user can access the network resources. The
process of direct authentication is simpler than that of re-DHCP authentication.
• Re-DHCP authentication
Before authentication, a user gets a private IP address through DHCP and can access only the
portal server and predefined free websites. After passing authentication, the user is allocated a
public IP address and can access the network resources. No public IP address is allocated to
those who fail authentication. This solves the IP address planning and allocation problem. For
example, a service provider can allocate public IP addresses to broadband users only when
they access networks beyond the residential community network.
The local portal server does not support re-DHCP portal authentication.
• Cross-subnet authentication
Cross-subnet authentication is similar to direct authentication, but it allows Layer 3 forwarding
devices to be present between the authentication client and the access device.
To Next Page
Loading...
Need help?
General
