Portal server, Authentication/accounting server, Security policy server – H3C Technologies H3C SecPath F1000-E User Manual

3

Portal server

Server that listens to authentication requests from authentication clients and exchanges client

authentication information with the access device. It provides free portal services and pushes web
authentication pages to users.

Authentication/accounting server

Server that implements user authentication and accounting through interaction with the access device.

Security policy server

Server that interacts with authentication clients and access devices for security check and resource

authorization.
The above five components interact in the following procedure:

1.

When an unauthenticated user enters a website address in the address bar of the browser to

access the Internet, an HTTP request is created and sent to the access device, which redirects the
HTTP request to the web authentication homepage of the portal server. For extended portal

functions, authentication clients must run the portal client software.

2.

On the authentication homepage/authentication dialog box, the user enters and submits the
authentication information, which the portal server then transfers to the access device.

3.

Upon receipt of the authentication information, the access device communicates with the
authentication/accounting server for authentication and accounting.

4.

After successful authentication, the access device checks whether there is a corresponding security
policy for the user. If not, it allows the user to access the Internet. Otherwise, the client

communicates with the access device and security policy server for security check. If the client

passes security check, the security policy server authorizes the user to access the Internet

resources.

NOTE:
•

An authentication client uses its IP address as its ID. To avoid authentication failures due to address
translations, make sure that there is no Network Address Translation (NAT) device between the
authentication client, access device, portal server, and authentication/accounting server when

deploying portal authentication.

•

Currently, only a RADIUS server can serve as the remote authentication/accounting server in a portal
system.

•

Currently, security check requires the cooperation of the H3C iNode client.

Portal Authentication Modes

The device supports portal authentication at Layer 3. You can use different Layer 3 portal authentication

modes according to your networking scenarios.

Layer 3 portal authentication

In Layer 3 authentication mode, portal authentication is enabled on an access device’s Layer 3 interface

that connects authentication clients. Portal authentication performed on a Layer 3 interface can be direct
authentication, re-DHCP authentication, or cross-subnet authentication. In direct authentication and

re-DHCP authentication, no Layer-3 forwarding devices exist between the authentication client and the

access device. In cross-subnet authentication, Layer 3 forwarding devices may exist between the

authentication client and the access device.