Portal server, Authentication/accounting server, Security policy server – H3C Technologies H3C WX6000 Series Access Controllers User Manual

36-3

Portal server

Server that listens to authentication requests from portal clients and exchanges client authentication

information with the access device. It provides free portal services and a web-based authentication

interface.

Authentication/accounting server

Server that implements user authentication and accounting through interaction with the access device.

Security policy server

Server that interacts with portal clients and access devices for security authentication and resource

authorization.

The above five components interact in the following procedure:

1) When an unauthenticated user enters a website address in the address bar of the IE to access the

Internet, an HTTP request is created and sent to the access device, which redirects the HTTP

request to the web authentication homepage of the portal server. For extended portal functions,

authentication clients must run the portal client.

2) On the authentication homepage/authentication dialog box, the user enters and submits the

authentication information, which the portal server then transfers to the access device.

3) Upon receipt of the authentication information, the access device communicates with the

authentication/accounting server for authentication and accounting.

4) After successful authentication, the access device checks whether there is corresponding security

policy for the user. If not, it allows the user to access the Internet. Otherwise, the client, the access

device and the security policy server communicates to perform security authentication of the user,

and the security policy server authorizes the user to access resources depending on the security

authentication result.

Since a portal client uses an IP address as its ID, ensure that there is no Network Address

Translation (NAT) device between the authentication client, access device, portal server, and

authentication/accounting server when deploying portal authentication. This is to avoid

authentication failure due to NAT operations.

Currently, only a RADIUS server can serve as the remote authentication/accounting server in a

portal system.

Currently, security authentication requires the cooperation of the H3C iNode client.

Portal System Using the Local Portal Server

System components

In addition to use a separate device as the portal server, a portal system can also use the local portal

server function of the access device to authenticate Web users directly. In this case, the portal system

consists of only three components: authentication client, access device, and authentication/accounting

server, as shown in

Figure 36-2

.