Portal Support For Eap - HP A6600 Configuration Manual
Hide thumbs
Also See for A6600:
- Configuration manual (426 pages) ,
- Getting started (222 pages) ,
- Limited warranty (41 pages)
Table of Contents
Advertisement
Re-DHCP authentication
Before authentication, a user gets a private IP address through DHCP and can access only the portal
server and predefined free websites. After passing authentication, the user is allocated a public IP
address and can access the network resources. No public IP address is allocated to those who fail
authentication. This solves the IP address planning and allocation problem and can be useful. For
example, a service provider can allocate public IP addresses to broadband users only when they access
networks beyond the residential community network.
Cross-subnet authentication
Cross-subnet authentication is similar to direct authentication, but it allows Layer 3 forwarding devices to
be present between the authentication client and the access device.
In direct authentication, re-DHCP authentication, and cross-subnet authentication, the client's IP address
is used for client identification. After a client passes authentication, the access device generates an ACL
for the client based on the client's IP address to permit packets from the client to go through the access
port. Because no Layer 3 devices are present between the authentication clients and the access device in
direct authentication and re-DHCP authentication, the access device can directly learn the MAC
addresses of the clients. It can control the forwarding of packets from clients in a more granular way by
also using the learned MAC addresses.
Portal support for EAP
Authentication by using the username and password is less secure. Digital certificate authentication is
usually used to ensure higher security.
EAP supports several digital certificate-based authentication methods, for example, EAP-TLS. Working
together with EAP, portal authentication can implement digital certificate-based user authentication.
Figure 44 Portal support for EAP working flow diagram
As shown in
packets. The portal server and the access device exchange portal authentication packets that carry the
EAP-Message attributes. The access device and the RADIUS server exchange RADIUS packets that carry
the EAP-Message attributes. The RADIUS server that supports the EAP server function processes the EAP
packets encapsulated in the EAP-Message attributes and provides the EAP authentication result. During
the whole EAP authentication process, the access device does not process the packets that carry the EAP-
Message attributes but only transports them between the portal server and the RADIUS server. Therefore,
no additional configuration is needed on the access device.
NOTE:
To use portal authentication that supports EAP, the portal server and client must be the HP iMC portal
•
server and the HP iNode portal client.
Only Layer 3 portal authentication that uses a remote portal server supports EAP authentication.
•
Figure
44, the authentication client and the portal server exchange EAP authentication
118
Advertisement
Table of Contents
Troubleshooting
