Layer 2 Portal Authentication Process - HP 3600 v2 Series Security Configuration Manual
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (449 pages) ,
- Installation manual (62 pages)
Table of Contents
Advertisement
Layer 2 portal authentication process
Figure 54 Local Layer 2 portal authentication process
Local Layer 2 portal authentication takes the following procedure:
The portal authentication client sends an HTTP or HTTPS request. Upon receiving the HTTP request,
1.
the access device redirects it to the listening IP address of the local portal server, which then pushes
a web authentication page to the authentication client. The user types the username and password
on the web authentication page. The listening IP address of the local portal server is the IP address
of a Layer 3 interface on the access device that can communicate with the portal client. Usually, it
is a loopback interface's IP address.
The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
2.
If the user passes RADIUS authentication, the local portal server pushes a logon success page to
3.
the authentication client.
Authorized VLAN
Layer 2 portal authentication supports VLAN assignment by the authentication server. After a user passes
portal authentication, if the authentication server is configured with an authorized VLAN for the user, the
authentication server assigns the authorized VLAN to the access device. Then, the access device adds the
user to the authorized VLAN and generates a MAC VLAN entry. If the authorized VLAN does not exist,
the access device first creates the VLAN.
By deploying the authorized VLAN assignment function, you can control which authenticated users can
access which network resources.
Auth-Fail VLAN
The Auth-Fail VLAN feature allows users failing authentication to access a VLAN that accommodates
network resources such as the patches server, virus definitions server, client software server, and anti-virus
software server, so that the users can upgrade their client software or other programs. Such a VLAN is
called an Auth-Fail VLAN.
Layer 2 portal authentication supports Auth-Fail VLAN on a port that performs MAC-based access control.
With an Auth-Fail VLAN configured on a port, if a user on the port fails authentication, the access devices
creates a MAC VLAN entry based on the MAC address of the user and adds the user to the Auth-Fail
VLAN. Then, the user can access the non-HTTP resources in the Auth-Fail VLAN, and all HTTP requests of
the user will be redirected to the authentication page. If the user passes authentication, the access device
adds the user to the assigned VLAN or return the user to the initial VLAN of the port, depending on
whether the authentication server assigns a VLAN. If the user fails the authentication, the access device
keeps the user in the Auth-Fail VLAN. If an access port receives no traffic from a user in the Auth-Fail
VLAN during a specified period of time (90 seconds by default), it removes the user from the Auth-Fail
VLAN and adds the user to the initial VLAN of the port.
128
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
