Portal server, Authentication/accounting server, Security policy server – H3C Technologies H3C S7500E Series Switches User Manual

8-3

z

Interacting with the portal server, security policy server and authentication/accounting

server for identity authentication, security checking, and accounting.

z

Allowing users who have pass identity authentication and security checking to access

granted Internet resources.

Portal server

Server that listens to authentication requests from authentication clients and exchanges client

authentication information with the access device. It provides free portal services and pushes

web authentication pages to users.

Authentication/accounting server

Server that implements user authentication and accounting through interaction with the access

device.

Security policy server

Server that interacts with authentication clients and access devices for security checking and

resource authorization.

The above five components interact in the following procedure:

1) When an unauthenticated user enters a website address in the address bar of the browser

to access the Internet, an HTTP request is created and sent to the access device, which

redirects the HTTP request to the web authentication homepage of the portal server. For

extended portal functions, authentication clients must run the portal client software.

2) On the authentication homepage/authentication dialog box, the user enters and submits

the authentication information, which the portal server then transfers to the access device.

3) Upon receipt of the authentication information, the access device communicates with the

authentication/accounting server for authentication and accounting.

4) After successful authentication, the access device checks whether there is a corresponding

security policy for the user. If not, it allows the user to access the Internet. Otherwise, the

client communicates with the access device and security policy server for security checking.

If the client passes security checking, the security policy server authorizes the user to

access the Internet resources.

z

An authentication client uses its IP address as its ID. To avoid authentication failures due

to address translations, make sure that there is no Network Address Translation (NAT)

device between the authentication client, access device, portal server, and

authentication/accounting server when deploying portal authentication.

z

Currently, only a RADIUS server can serve as the remote authentication/accounting server

in a portal system.

z

Currently, security checking requires the cooperation of the iNode client.