286
The local Layer 2 portal authentication process is as follows:
1. The portal authentication client sends an HTTP request. Upon receiving the HTTP request, the
access device redirects the request to the listening IP address of the local portal server, which
then pushes a Web authentication page to the authentication client. The user types the
username and password on the Web authentication page. The listening IP address of the local
portal server is the IP address of a Layer 3 interface on the access device that can
communicate with the portal client. Usually, it is a loopback interface's IP address.
2. The access device and the RADIUS server exchange RADIUS packets to authenticate the
user.
3. If the user passes RADIUS authentication, the local portal server pushes a logon success page
to the authentication client.
ACL assignment
The device can use ACLs to control user access to network resources and limit user access rights.
With authorized ACLs specified on the authentication server, when a user passes authentication, the
authentication server assigns an authorized ACL for the user, and the device filters traffic from the
user on the access port according to the authorized ACL. You must configure the authorized ACLs
on the access device if you specify authorized ACLs on the authentication server. To change the
access right of a user, specify a different authorized ACL on the authentication server or change the
rules of the corresponding authorized ACL on the device.
Layer 3 portal authentication process
Direct authentication and cross-subnet authentication share the same authentication process.
Re-DHCP authentication has a different process because of the presence of two address allocation
procedures.
Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication)
Figure 89 Direct authentication/cross-subnet authentication process
The direct authentication/cross-subnet authentication process is as follows:
1. An authentication client initiates authentication by sending an HTTP request. When the HTTP
packet arrives at the access device, the access device allows it to pass if it is destined for the
portal server or a predefined free website, or redirects it to the portal server if it is destined for
other websites. The portal server pushes a Web authentication page to the user and the user
enters the username and password.
2. The portal server and the access device exchange CHAP messages. This step is skipped for
PAP authentication.
To Next Page
Loading...
Need help?
General
