Portal Authentication Process - 3Com MSR 50 Series Configuration Manual

Portal Authentication
Process
the MAC address of the authentication client. In the non-Layer-3 authentication
mode, a user is uniquely identified by the combination of its IP address and MAC
address because the access device can learn the MAC address of the
authentication client.
As mentioned above, it is possible to trigger a new portal authentication in Layer-3
authentication mode when the MAC address of the authentication client is
unaltered but the IP address is changed. This is not the case in non-Layer-3
authentication mode. Instead, a new portal authentication will be triggered in the
non-Layer-3 authentication mode only when the MAC and IP addresses of the
authentication client are both changed.
Direct authentication and Layer 3 portal authentication share the same
authentication process. When it comes to re-DHCP authentication, the process is
different for the presence of two address allocation procedures.
Direct authentication/Layer 3 portal authentication process
Figure 537 Direct authentication/Layer 3 portal authentication process
Portal client Portal client
Initiate a connection (1)
Notify the user of
login success (6)
For portal authentication, the direct authentication/Layer 3 portal authentication
process is as follows:
1 A portal user initiates an authentication request through HTTP. When HTTP
packets arrive at the access device, the access device allows those destined for the
portal server or predefined free websites to pass, but redirects those destined for
other websites to the portal server. The portal server provides a web page for the
user to enter username and password for authentication.
2 The portal server and the access device exchange messages through challenge
handshake authentication protocol (CHAP) authentication. For password
authentication protocol (PAP) authentication, this step is skipped.
3 The portal server assembles the username and password into an authentication
request message and sends it to the access device. Meanwhile, the portal server
starts a timer to wait for an authentication acknowledgment message.
4 The access device and the RADIUS server exchange RADIUS packets.
Portal server Portal server Access device Access device
CHAP authentication (2)
Authentication request (3)
Timer Timer
Authentication
Acknowledgement (5)
Authentication
acknowledgement
affirmation (7)
Exchange security verification (8)
Portal Overview
Authentication / Authentication /
accounting server accounting server
Exchange RADIUS
packets (4)
Authorization (9)
1855
Security policy Security policy
server server