Layer 2 Portal Authentication Process - HP 5500 HI Series Configuration Manual
Security
Hide thumbs
Also See for 5500 HI Series:
- Installation manual (72 pages) ,
- Compliance and safety manual (62 pages) ,
- Quickspecs (35 pages)
Table of Contents
Advertisement
Layer 2 portal authentication process
Figure 39 Local Layer 2 portal authentication process
Local Layer 2 portal authentication takes the following procedure:
1.
The portal authentication client sends an HTTP request. Upon receiving the HTTP request, the
access device redirects it to the listening IP address of the local portal server, which supports HTTP
and HTTPS requests. The local portal server pushes a Web authentication page to the
authentication client. The user enters the username and password on the Web authentication
page.
The listening IP address of the local portal server is the IP address of a Layer 3 interface on the
access device that can communicate with the portal client. Usually, it is a Loopback interface's IP
address.
2.
The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
3.
If the user passes RADIUS authentication, the local portal server pushes a logon success page to
the authentication client.
Authorized VLAN
Layer 2 portal authentication supports VLAN assignment by the authentication server. After a user passes
portal authentication, if the authentication server is configured with an authorized VLAN for the user, the
authentication server assigns the authorized VLAN to the access device. Then, the access device adds the
user to the authorized VLAN and generates a MAC VLAN entry. If the authorized VLAN does not exist,
the access device first creates the VLAN.
By deploying the authorized VLAN assignment function, you can control which authenticated users can
access which network resources.
Auth-Fail VLAN
The Auth-Fail VLAN feature allows users failing authentication to access a VLAN that accommodates
network resources such as the patches server, virus definitions server, client software server, and anti-virus
software server, so that the users can upgrade their client software or other programs. Such a VLAN is
called an Auth-Fail VLAN.
Layer 2 portal authentication supports Auth-Fail VLAN on a port that performs MAC-based access control.
With an Auth-Fail VLAN configured on a port, if a user on the port fails authentication, the access devices
creates a MAC VLAN entry based on the MAC address of the user and adds the user to the Auth-Fail
VLAN. Then, the user can access the non-HTTP resources in the Auth-Fail VLAN, and all HTTP requests of
the user will be redirected to the authentication page. If the user passes authentication, the access device
adds the user to the assigned VLAN or return the user to the initial VLAN of the port, depending on
whether the authentication server assigns a VLAN. If the user fails the authentication, the access device
keeps the user in the Auth-Fail VLAN. If an access port receives no traffic from a user in the Auth-Fail
VLAN during a specified period of time (90 seconds by default), it removes the user from the Auth-Fail
VLAN and adds the user to the initial VLAN of the port.
123
- Quick Links:
- Configuration Guide
- Configuring Aaa
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
