HP 5120 SI Series Security Configuration Manual page 126

Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication)
Figure 37 Direct authentication/cross-subnet authentication process
The direct authentication/cross-subnet authentication takes the following procedure:
1. An authentication client initiates authentication by sending an HTTP request. When the HTTP
packet arrives at the access device, the access device allows it to pass if it is destined for the portal
server or a predefined free website, or redirects it to the portal server if it is destined for other
websites. The portal server pushes a web authentication page to the user and the user enters the
username and password.
2. The portal server and the access device exchange Challenge Handshake Authentication Protocol
(CHAP) messages. For Password Authentication Protocol (PAP) authentication, this step is skipped.
3. The portal server assembles the username and password into an authentication request message
and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an
authentication acknowledgment message.
4. The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
5. The access device sends an authentication reply to the portal server.
6. The portal server sends an authentication success message to the authentication client to notify it of
logon success.
7. The portal server sends an authentication reply acknowledgment message to the access device.
With extended portal functions, the process includes additional steps:
8. The security policy server exchanges security check information with the authentication client to
check whether the authentication client meets the security requirements.
9. Based on the security check result, the security policy server authorizes the user to access certain
resources, and sends the authorization information to the access device. The access device then
controls access of the user based on the authorization information.
114