Security policy server, Interaction between portal system components, Portal authentication modes – H3C Technologies H3C S6300 Series Switches User Manual

91

Security policy server

The security policy server interacts with the portal client and the access device for security check and

authorization for users.

Interaction between portal system components

The components of a portal system interact as follows:

1.

An unauthenticated user initiates authentication by accessing an Internet website through a Web

browser. When receiving the HTTP request, the access device redirects it to the Web
authentication page provided by the portal Web server. The user can also visit the authentication

website to log in. The user must log in through the H3C iNode client for extended portal functions.

2.

The user enters the authentication information on the authentication page/dialog box and submits
the information. The portal Web server forwards the information to the portal authentication server.

Then the portal authentication server processes the information and forwards it to the access
device.

3.

The access device interacts with the AAA server to implement authentication, authorization,
accounting for the user.

4.

If security policies are not imposed on the user, the access device allows the authenticated user to
access the Internet. If security policies are imposed on the user, the portal client, the access device,

and the security policy server interact to check the user host. If the user passes the security check,

the security policy server authorizes the user to access resources based on the check result. Portal
authentication through Web does not support security check for users. To implement security check,

the client must be the H3C iNode client.

NOTE:

Portal authentication supports NAT traversal whether it is initiated by a Web client or an H3C iNode
client. NAT traversal must be configured when the portal client is on a private network and the portal
server is on a public network.

Portal authentication modes

Portal authentication has three modes: direct authentication, re-DHCP authentication, and cross-subnet

authentication. In direct authentication and re-DHCP authentication, no Layer 3 forwarding devices exist

between the authentication client and the access device. In cross-subnet authentication, Layer 3
forwarding devices can exist between the authentication client and the access device.

Direct authentication

A user manually configures a public IP address or obtains a public IP address through DHCP. Before

authentication, the user can access only the portal Web server and predefined authentication-free

websites. After passing authentication, the user can access Internet resources. The process of direct
authentication is simpler than that of re-DHCP authentication.

Re-DHCP authentication

Before authentication, a user obtains a private IP address through DHCP and can access only the portal

Web server and predefined authentication-free websites. After passing authentication, the user is

assigned a public IP address and can access Internet resources. No public IP address is allocated to
those who fail authentication. Re-DHCP authentication saves public IP addresses. For example, an ISP