Layer 3 portal authentication process – H3C Technologies H3C SecPath F1000-E User Manual

Page 125

Advertising
background image

115

packets from the client to go through the access port. Because no Layer 3 devices are present

between the authentication clients and the access device in direct authentication and re-DHCP
authentication, the access device can directly learn the MAC addresses of the clients, and thus can

control the forwarding of packets from clients in a more granular way by also using the learned

MAC addresses.

Layer 3 portal authentication process

Direct authentication and cross-subnet authentication share the same authentication process, while

re-DHCP authentication has a different process because of the presence of two address allocation

procedures.

Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication)

Figure 110 Direct authentication/cross-subnet authentication process

The direct authentication/cross-subnet authentication takes the following procedure:

1.

An authentication client initiates authentication by sending an HTTP request. When the HTTP
packet arrives at the access device, the access device allows it to pass if it is destined for the portal

server or a predefined free website, or redirects it to the portal server if it is destined for other

websites. The portal server pushes a Web authentication page to the user and the user enters the

username and password.

2.

The portal server and the access device exchange Challenge Handshake Authentication Protocol

(CHAP) messages. For Password Authentication Protocol (PAP) authentication, this step is skipped.

3.

The portal server assembles the username and password into an authentication request message
and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an

authentication acknowledgment message.

4.

The access device and the RADIUS server exchange RADIUS packets to authenticate the user.

5.

The access device sends an authentication reply to the portal server.

6.

The portal server sends an authentication success message to the authentication client to notify it of
logon success.

7.

The portal server sends an authentication reply acknowledgment message to the access device.

With extended portal functions, the process includes two additional steps:

Advertising
This manual is related to the following products:

H3C SecPath F5000-A5 Firewall, H3C SecPath F1000-A-EI, H3C SecPath F1000-E-SI, H3C SecPath F1000-S-AI, H3C SecPath F5000-S Firewall, H3C SecPath F5000-C Firewall, H3C SecPath F100-C-SI, H3C SecPath F1000-C-SI, H3C SecPath F100-A-SI, H3C SecBlade FW Cards, H3C SecBlade FW Enhanced Cards, H3C SecPath U200-A U200-M U200-S, H3C SecPath U200-CA U200-CM U200-CS

Popular Brands
Popular manuals