Portal Authentication Modes; Portal Support For Eap - HP 5120 SI Series Security Configuration Manual
Hide thumbs
Also See for 5120 SI Series:
- Command reference manual (395 pages) ,
- Installation manual (48 pages) ,
- Specification (33 pages)
Table of Contents
Advertisement
storage medium of the device. A set of customized authentication pages consists of six authentication
pages—the logon page, the logon success page, the online page, the logoff success page, the logon
failure page, and the system busy page. A local portal server pushes a corresponding authentication
page at each authentication phase. If you do not customize the authentication pages, the local portal
server pushes the default authentication pages.
NOTE:
For the rules of customizing authentication pages, see
Portal authentication modes
Portal authentication may work at Layer 2 or Layer 3 of the OSI model.
Layer 2 portal authentication
You can enable Layer 2 portal authentication on an access device's Layer 2 ports that connect
authentication clients, so that only clients whose MAC addresses pass authentication can access the
external network. Only the local portal server provided by the access device supports Layer 2 portal
authentication.
Layer 2 portal authentication allows the authentication server to assign different VLANs according to user
authentication results so that access devices can thereby control user access to resources. After a client
passes authentication, the authentication server can assign an authorized VLAN to allow the user to
access the resources in the VLAN. If a client fails authentication, the authentication server can assign an
Auth-Fail VLAN. Layer 3 portal authentication does not support VLAN assignment.
Layer 3 portal authentication
You can enable Layer 3 authentication on an access device's Layer 3 interfaces that connect
authentication clients. Portal authentication performed on a Layer 3 interface can be direct authentication
or cross-subnet authentication. In direct authentication, no Layer-3 forwarding devices exist between the
authentication client and the access device. In cross-subnet authentication, Layer-3 forwarding devices
may exist between the authentication client and the access device.
•
Direct authentication
Before authentication, a user manually configures a public IP address or directly obtains a public IP
address through DHCP, and can access only the portal server and predefined free websites. After
passing authentication, the user can access the network resources.
•
Cross-subnet authentication
Cross-subnet authentication is similar to direct authentication, but it allows Layer 3 forwarding devices to
be present between the authentication client and the access device.
In direct authentication and cross-subnet authentication, the client's IP address is used for client
identification. After a client passes authentication, the access device generates an access control list (ACL)
for the client based on the client's IP address to permit packets from the client to go through the access
port. Because no Layer 3 devices are present between the authentication clients and the access device in
direct authentication, the access device can directly learn the clients' MAC addresses, and can control
the forwarding of packets from clients in a more granular way by also using the learned MAC addresses.
Portal support for EAP
Authentication by using the username and password is less secure. Digital certificate authentication is
usually used to ensure higher security.
"Customizing authentication
111
pages."
Advertisement
Table of Contents
Troubleshooting
