Web Authentication Process; Web Authentication Support For Vlan Assignment - HPE FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
Local portal Web server
The access device acts as the local portal Web server. The local portal Web server pushes the Web
authentication page to authentication clients and forwards user authentication information
(username and password) to the AAA module of the access device. For more information about AAA,
see
"Configuring
AAA server
An AAA server interacts with the access device to implement user authentication, authorization, and
accounting. A RADIUS server can perform authentication, authorization, and accounting for Web
authentication users. An LDAP server can perform authentication for Web authentication users.
Web authentication process
Figure 165 Web authentication process
Authentication
client
1) Initiate a connection
3) Notify the user of
The Web authentication process is as follows:
1.
An unauthenticated user sends an HTTP request. When the access device receives the HTTP
request on a Layer 2 Ethernet interface enabled with Web authentication, it redirects the
request to the Web authentication page. The user enters the username and password on the
Web authentication page.
If the user requests the Web authentication page or free Web resources, the access device
permits the request. No Web authentication is performed.
2.
The access device and the AAA server exchange RADIUS packets to authenticate the user.
3.
If the user passes RADIUS authentication, the local portal Web server pushes a login success
page to the authentication client.
If the user fails RADIUS authentication, the local portal Web server pushes a login failure page
to the authentication client.
Web authentication support for VLAN assignment
Authorization VLAN
Web authentication uses VLANs authorized by the AAA server or the access device to control
network resource access of authenticated users.
After a user passes Web authentication, the AAA server or the access device authorizes the user to
access a VLAN. If the authorization VLAN does not exist, the access device first creates the VLAN
and then assigns the user access interface as an untagged member to the VLAN. If the authorization
VLAN already exists, the access device directly assigns the user access interface as an untagged
member to the VLAN. Then, the user can access resources in the authorization VLAN.
The initial VLAN and the authorization VLAN of a user might be on different subnets. A user can
access the resources in the authorization VLAN only when the IP address of the client is on the same
subnet as the authorization VLAN. Therefore, a user might need to update the IP address of the
client after the user is assigned to the authorization VLAN.
AAA."
Access device
2) RADIUS authentication
login success
Authentication
/accounting server
593
Advertisement
Table of Contents
Troubleshooting
