Portal Authentication Modes - HPE FlexNetwork 5510 HI Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 5510 HI Series:
- Configuration manual (572 pages) ,
- Mpls configuration manual (505 pages) ,
- Layer 3 - ip routing configuration manual (486 pages)
Table of Contents
Advertisement
authentication server. Then the portal authentication server processes the information and
forwards it to the access device.
3.
The access device interacts with the AAA server to implement authentication, authorization,
accounting for the user.
4.
If security policies are not imposed on the user, the access device allows the authenticated user
to access the Internet. If security policies are imposed on the user, the portal client, the access
device, and the security policy server interact to check the user host. If the user passes the
security check, the security policy server authorizes the user to access resources based on the
check result. Portal authentication through Web does not support security check for users. To
implement security check, the client must be the HPE iNode client.
NOTE:
Portal authentication supports NAT traversal whether it is initiated by a Web client or an HPE iNode
client. NAT traversal must be configured when the portal client is on a private network and the portal
server is on a public network.
Portal authentication modes
Portal authentication has three modes: direct authentication, re-DHCP authentication, and
cross-subnet authentication. In direct authentication and re-DHCP authentication, no Layer 3
forwarding devices exist between the authentication client and the access device. In cross-subnet
authentication, Layer 3 forwarding devices can exist between the authentication client and the
access device.
Direct authentication
A user manually configures a public IP address or obtains a public IP address through DHCP. Before
authentication, the user can access only the portal Web server and predefined authentication-free
websites. After passing authentication, the user can access other network resources. The process of
direct authentication is simpler than that of re-DHCP authentication.
Re-DHCP authentication
Before a user passes authentication, DHCP allocates an IP address (a private IP address) to the
user. The user can access only the portal Web server and predefined authentication-free websites.
After the user passes authentication, DHCP reallocates an IP address (a public IP address) to the
user. The user then can access other network resources. No public IP address is allocated to users
who fail authentication. Re-DHCP authentication saves public IP addresses. For example, an ISP
can allocate public IP addresses to broadband users only when they access networks beyond the
residential community network.
Only the HPE iNode client supports re-DHCP authentication. IPv6 portal authentication does not
support the re-DHCP authentication mode.
Cross-subnet authentication
Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding
devices to exist between the authentication client and the access device.
In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP
address uniquely identifies the user. After a user passes authentication, the access device generates
an ACL for the user based on the user's IP address to control forwarding of the packets from the user.
Because no Layer 3 forwarding device exists between authentication clients and the access device
in direct authentication and re-DHCP authentication, the access device can learn the user MAC
addresses. The access device can enhance its capability of controlling packet forwarding by using
the learned MAC addresses.
126
- Quick Links:
- Radius
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
