Layer 3 portal authentication process – H3C Technologies H3C SecPath F1000-E User Manual
Page 125
115
packets from the client to go through the access port. Because no Layer 3 devices are present
between the authentication clients and the access device in direct authentication and re-DHCP
authentication, the access device can directly learn the MAC addresses of the clients, and thus can
control the forwarding of packets from clients in a more granular way by also using the learned
MAC addresses.
Layer 3 portal authentication process
Direct authentication and cross-subnet authentication share the same authentication process, while
re-DHCP authentication has a different process because of the presence of two address allocation
procedures.
Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication)
Figure 110 Direct authentication/cross-subnet authentication process
The direct authentication/cross-subnet authentication takes the following procedure:
1.
An authentication client initiates authentication by sending an HTTP request. When the HTTP
packet arrives at the access device, the access device allows it to pass if it is destined for the portal
server or a predefined free website, or redirects it to the portal server if it is destined for other
websites. The portal server pushes a Web authentication page to the user and the user enters the
username and password.
2.
The portal server and the access device exchange Challenge Handshake Authentication Protocol
(CHAP) messages. For Password Authentication Protocol (PAP) authentication, this step is skipped.
3.
The portal server assembles the username and password into an authentication request message
and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an
authentication acknowledgment message.
4.
The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
5.
The access device sends an authentication reply to the portal server.
6.
The portal server sends an authentication success message to the authentication client to notify it of
logon success.
7.
The portal server sends an authentication reply acknowledgment message to the access device.
With extended portal functions, the process includes two additional steps:
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS