Portal Authentication Process - HP MSR Series Configuration Manual
Hpe flexnetwork msr router series
Hide thumbs
Also See for MSR Series:
- Configuration manual (889 pages) ,
- Command reference manual (684 pages) ,
- Wan access configuration manual (293 pages)
Table of Contents
Advertisement
Cross-subnet authentication
Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding
devices to exist between the authentication client and the access device.
In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP
address uniquely identifies the user. After a user passes authentication, the access device generates
an ACL for the user based on the user's IP address to control forwarding of the packets from the user.
Because no Layer 3 forwarding device exists between authentication clients and the access device
in direct authentication and re-DHCP authentication, the access device can learn the user MAC
addresses. The access device can enhance its capability of controlling packet forwarding by using
the learned MAC addresses.
Portal authentication process
Direct authentication and cross-subnet authentication share the same authentication process.
Re-DHCP authentication has a different process as it has two address allocation procedures.
Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication)
Figure 49 Direct authentication/cross-subnet authentication process
Authentication
client
1) Initiate a connection
The direct/cross-subnet authentication process is as follows:
1.
A portal user access the Internet through HTTP, and the HTTP packet arrives at the access
device.
If the packet matches a portal free rule, the access device allows the packet to pass.
If the packet does not match any portal-free rule, the access device redirects the packet to
the portal Web server. The portal Web server pushes the Web authentication page to the
user for him to enter his username and password.
2.
The portal Web server submits the user authentication information to the portal authentication
server.
3.
The portal authentication server and the access device exchange CHAP messages. This step
is skipped for PAP authentication. The portal authentication server decides the method (CHAP
or PAP) to use.
4.
The portal authentication server adds the username and password into an authentication
request packet and sends it to the access device. Meanwhile, the portal authentication server
starts a timer to wait for an authentication reply packet.
5.
The access device and the RADIUS server exchange RADIUS packets.
Portal
Portal Web
authentication
server
server
2) User information
3) CHAP authentication
4) Authentication request
Timer
7) Notify login
success
Access
device
authentication
6) Authentication reply
8) Authentication reply
acknowledgment
9) Security check
10) Authorization
137
AAA server
policy server
5) RADIUS
Security
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
