Non-layer 3 authentication, Layer 3 authentication – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 401
36-5
Non-Layer 3 authentication
Non-Layer 3 authentication falls into two categories: direct authentication and Re-DHCP authentication.
Direct authentication
Before authentication, a user manually configures an IP address or directly obtains a public IP address
through DHCP, and can access only the portal server and predefined free websites. After passing
authentication, the user can access the network resources. The process of direct authentication is
simpler than that of re-DHCP authentication.
Re-DHCP authentication
Before authentication, a user gets a private IP address through DHCP and can access only the portal
server and predefined free websites. After passing authentication, the user is allocated a public IP
address and can access the network resources. No public IP address is allocated to those who fails
authentication. This solves the problem about IP address planning and allocation and proves to be
useful. For example, a service provider can allocate public IP addresses to broadband users only when
they access networks beyond the residential community network.
The local portal server function does not support re-DHCP authentication.
Layer 3 authentication
Layer 3 portal authentication is similar to direct authentication. However, in Layer-3 portal
authentication mode, Layer 3 forwarding devices can be present between the authentication client and
the access device.
Differences between Layer 3 and non-Layer 3 authentication modes
Networking mode
From this point of view, the difference between these two authentication modes lies in whether or not a
Layer 3 forwarding device can be present between the authentication client and the access device. The
former supports Layer 3 forwarding devices, while the latter does not.
User identifier
In Layer 3 authentication mode, a client is uniquely identified by an IP address. This is because the
mode supports Layer 3 forwarding devices between the authentication client and the access device but
the access device does not learn the MAC address of the authentication client. In non-Layer 3
authentication mode, a client is uniquely identified by the combination of its IP address and MAC
address because the access device can learn the MAC address of the authentication client.
Due to the above differences, when the MAC address of an authentication client remains the same but
the IP address changes, a new portal authentication will be triggered in Layer-3 authentication mode
but will not be triggered in non-Layer 3 authentication mode. In non-Layer 3 authentication mode, a new
portal authentication will be triggered only when both the MAC and IP address of the authentication
client are changed.