Web Authentication Process - HPE FlexNetwork 7500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 7500 Series:
- Security configuration manual (506 pages) ,
- Command reference manual (474 pages) ,
- Network management and monitoring command reference (430 pages)
Table of Contents
Advertisement
Local portal Web server
The access device acts as the local portal Web server. The local portal Web server pushes the Web
authentication page to authentication clients and forwards user authentication information
(username and password) to the AAA module of the access device. For more information about AAA,
see "Configuring AAA."
AAA server
An AAA server interacts with the access device to implement user authentication, authorization, and
accounting. A RADIUS server can perform authentication, authorization, and accounting for Web
authentication users. An LDAP server can perform authentication for Web authentication users.
Web authentication process
Figure 153 Web authentication process
Authentication
client
1) Initiate a connection
3) Notify the user of
The Web authentication process is as follows:
1.
An unauthetnicated user sends an HTTP request. When the access device receives the HTTP
request on a Layer 2 Ethernet interface enabled with Web authentication, it redirects the
request to the Web authentication page. The user enters the username and password on the
Web authentication page.
If the user requests the Web authentication page or free Web resources, the access device
permits the request. No Web authentication is performed.
2.
The access device and the AAA server exchange RADIUS packets to authenticate the user.
3.
If the user passes RADIUS authentication, the local portal Web server pushes a login success
page to the authentication client.
If the user fails RADIUS authentication, the local portal Web server pushes a login failure page
to the authentication client.
Authorization VLAN
Web authentication uses VLANs authorized by the AAA server or the access device to control
network resource access of authenticated users.
After a user passes Web authentication, the AAA server or the access device authorizes the user to
access a VLAN. The access device then adds the user to the authorized VLAN and generates a
MAC VLAN entry on the user access interface. If the authorized VLAN does not exist on the access
device, the access device first creates the VLAN. The access interface allows the packets from the
VLAN to pass, with the VLAN tag stripped.
The initial VLAN and the authorized VLAN of a user might be on different subnets. A user can access
the resources in the authorized VLAN only when the IP address of the client is on the same subnet
as the authorized VLAN. Therefore, a user might need to update the IP address of the client after the
user is assigned to the authorized VLAN.
Auth-Fail VLAN
An Auth-Fail VLAN is a VLAN assigned to users who fail authentication. The Auth-Fail VLAN
provides network resources such as the patch server, virus definitions server, client software server,
Access device
2) RADIUS authentication
login success
Authentication
/accounting server
501
Advertisement
Table of Contents
Troubleshooting
