Portal Filtering Rules; Mac-Based Quick Portal Authentication - HPE FlexNetwork 10500 Series Security Configuration Manual

8. After receiving the authentication success packet, the client obtains a public IP address through
DHCP. The client then notifies the portal authentication server that it has a public IP address.
9. The portal authentication server notifies the access device that the client has obtained a public
IP address.
10. The access device detects the IP change of the client through DHCP and then notifies the
portal authentication server that it has detected an IP change of the client IP.
11. After receiving the IP change notification packets sent by the client and the access device, the
portal authentication server notifies the client of login success.
12. The portal authentication server sends an IP change acknowledgment packet to the access
device.
Step 13 and step 14 are for extended portal functions.
13. The client and the security policy server exchanges security check information. The security
policy server detects whether or not the user host installs anti-virus software, virus definition
files, unauthorized software, and operating system patches.
14. The security policy server authorizes the user to access certain network resources based on
the check result. The access device saves the authorization information and uses it to control
access of the user.

Portal filtering rules

The access device uses portal filtering rules to control user traffic forwarding on a portal-enabled
interface.
Based on the configuration and authentication status of portal users, the device generates the
following categories of portal filtering rules:
•
First category—The rule permits user packets that are destined for the portal Web server and
packets that match the portal-free rules to pass through.
•
Second category—For an authenticated user with no ACL authorized, the rule allows the user
to access any destination network resources. For an authenticated user with an ACL authorized,
the rule allows users to access resources permitted by the ACL. The device adds the rule when
a user comes online and deletes the rule when the user goes offline.
•
Third category—The rule redirects all HTTP requests from unauthenticated users to the portal
Web server.
•
Fourth category—For direct authentication and cross-subnet authentication, the rule forbids
any user packets to pass through. For re-DHCP authentication, the device forbids user packets
with private source addresses to pass.
After receiving a user packet, the device compares the packet against the filtering rules from the first
category to the fourth category. Once the packet matches a rule, the matching process completes.

MAC-based quick portal authentication

MAC-based quick portal authentication is applicable to scenarios where users access the network
frequently. It allows users to pass authentication without entering a username and password.
MAC-based quick portal authentication is also called MAC-trigger authentication or transparent
portal authentication.
A MAC binding server is required for MAC-trigger authentication. The MAC binding server records
the MAC-to-account bindings of portal users for authentication. The account contains the portal
authentication information of the user, including username and password.
The authentication is implemented as follows:
1. When a user accesses the network for the first time, the access device generates a
MAC-trigger entry that records the user' MAC address and access interface.
173