Non-layer 3 authentication, Layer 3 authentication – H3C Technologies H3C WX6000 Series Access Controllers User Manual

36-5

Non-Layer 3 authentication

Non-Layer 3 authentication falls into two categories: direct authentication and Re-DHCP authentication.

Direct authentication

Before authentication, a user manually configures an IP address or directly obtains a public IP address

through DHCP, and can access only the portal server and predefined free websites. After passing

authentication, the user can access the network resources. The process of direct authentication is

simpler than that of re-DHCP authentication.

Re-DHCP authentication

Before authentication, a user gets a private IP address through DHCP and can access only the portal

server and predefined free websites. After passing authentication, the user is allocated a public IP

address and can access the network resources. No public IP address is allocated to those who fails

authentication. This solves the problem about IP address planning and allocation and proves to be

useful. For example, a service provider can allocate public IP addresses to broadband users only when

they access networks beyond the residential community network.

The local portal server function does not support re-DHCP authentication.

Layer 3 authentication

Layer 3 portal authentication is similar to direct authentication. However, in Layer-3 portal

authentication mode, Layer 3 forwarding devices can be present between the authentication client and

the access device.

Differences between Layer 3 and non-Layer 3 authentication modes

Networking mode

From this point of view, the difference between these two authentication modes lies in whether or not a

Layer 3 forwarding device can be present between the authentication client and the access device. The

former supports Layer 3 forwarding devices, while the latter does not.

User identifier

In Layer 3 authentication mode, a client is uniquely identified by an IP address. This is because the

mode supports Layer 3 forwarding devices between the authentication client and the access device but

the access device does not learn the MAC address of the authentication client. In non-Layer 3

authentication mode, a client is uniquely identified by the combination of its IP address and MAC

address because the access device can learn the MAC address of the authentication client.

Due to the above differences, when the MAC address of an authentication client remains the same but

the IP address changes, a new portal authentication will be triggered in Layer-3 authentication mode

but will not be triggered in non-Layer 3 authentication mode. In non-Layer 3 authentication mode, a new

portal authentication will be triggered only when both the MAC and IP address of the authentication

client are changed.