Portal authentication modes, Non-layer 3 authentication, Layer 3 authentication – H3C Technologies H3C S7500E Series Switches User Manual

8-4

Portal Authentication Modes

Portal authentication supports two modes: non-Layer 3 authentication and Layer 3

authentication.

Non-Layer 3 authentication

Non-Layer 3 authentication falls into two categories: direct authentication and Re-DHCP

authentication.

z

Direct authentication

Before authentication, a user manually configures an IP address or directly obtains a public IP

address through DHCP, and can access only the portal server and predefined free websites.

After passing authentication, the user can access the network resources. The process of direct

authentication is simpler than that of re-DHCP authentication.

z

Re-DHCP authentication

Before authentication, a user gets a private IP address through DHCP and can access only the

portal server and predefined free websites. After passing authentication, the user is allocated a

public IP address and can access the network resources. No public IP address is allocated to

those who fails authentication. This solves the problem about IP address planning and

allocation and proves to be useful. For example, a service provider can allocate public IP

addresses to broadband users only when they access networks beyond the residential

community network.

Layer 3 authentication

Layer 3 portal authentication is similar to direct authentication. However, in Layer-3 portal

authentication mode, Layer 3 forwarding devices can be present between the authentication

client and the access device.

Differences between Layer 3 and non-Layer 3 authentication modes

z

Networking mode

From this point of view, the difference between these two authentication modes lies in whether

or not a Layer 3 forwarding device can be present between the authentication client and the

access device. The former supports Layer 3 forwarding devices, while the latter does not.

z

User identifier

In Layer 3 authentication mode, a client is uniquely identified by an IP address. This is because

the mode supports Layer 3 forwarding devices between the authentication client and the access

device but the access device does not learn the MAC address of the authentication client. In

non-Layer 3 authentication mode, a client is uniquely identified by the combination of its IP

address and MAC address because the access device can learn the MAC address of the

authentication client.

Due to the above differences, when the MAC address of an authentication client remains the

same but the IP address changes, a new portal authentication will be triggered in Layer-3

authentication mode but will not be triggered in non-Layer 3 authentication mode. In non-Layer

3 authentication mode, a new portal authentication will be triggered only when both the MAC

and IP address of the authentication client are changed.